[Snort-devel] confirm 343ec785cc752e98b958383c9c38dfab4b0200dc

Russ Combs (rucombs) rucombs at ...3461...
Sun Jan 18 13:24:07 EST 2015


________________________________
From: 박종일 [pji5732 at ...3549...]
Sent: Saturday, January 17, 2015 11:20 PM
To: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] confirm 343ec785cc752e98b958383c9c38dfab4b0200dc

um.. i edit conf file and local rule however, Like symptoms before setting it
not working logger! unified2 file size is 0
please help me...

* Try removing the -K text from the command line.  That puts Snort into logging mode (not IDS mode).

* It also helps to isolate issues.  Do you see total alerts > zero at shutdown?  If not, start with that.  If you do see total alerts, how many logged?

* Once you see that events are being logged, you can focus on the actual output.  It generally helps to use -A cmg etc. for pcaps until you are getting stuff logged.

* If you are still having issues, please post the shutdown output.

* Also, you should be posting to snort-users instead of snort-devel.  There are many more users who can potentially help you get up and running.

------------------snort.lua--------------------------
---------------------------------------------------------------------------
-- Snort++ configuration
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- setup environment
---------------------------------------------------------------------------
-- given:
-- export DIR=/install/path
-- configure --prefix=$DIR
-- make install
--
-- then:
-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/conf/
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- setup the basics
---------------------------------------------------------------------------

require('snort_config') -- for loading

-- Setup the network addresses you are protecting
HOME_NET = '192.168.223.0/24'

-- Set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = '!' .. HOME_NET

conf_dir = os.getenv('SNORT_LUA_PATH')

if ( not conf_dir ) then
conf_dir = '.'
end

dofile(conf_dir .. '/snort_defaults.lua')
dofile(conf_dir .. '/classification.lua')
dofile(conf_dir .. '/reference.lua')

---------------------------------------------------------------------------
-- configure modules
---------------------------------------------------------------------------
--
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- comment or delete to disable mod functionality
--
-- you can also use default_ftp_server and default_wizard
---------------------------------------------------------------------------

--pcap file
--log_pcap = { }
--log_pcap.limit = 0
--log_pcap.units = B
-- uncomment ppm if you built with --enable-ppm
ppm = { }

-- uncomment profile if you built with --enable-perfprofile
--profile = { }

-- uncomment normalizer if you are inline or not --pedantic
--normalizer = { }

stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }

perf_monitor = { }
perf_monitor.console = true
perf_monitor.file = false
perf_monitor.seconds = 1
perf_monitor.packets = 1


arp_spoof = { }
back_orifice = { }
rpc_decode = { }
port_scan = { }
telnet = { }

-- use http_inspect or new_http_inspect (incomplete)
http_inspect = { }
--new_http_inspect = { }

ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }

wizard = default_wizard


--unified2 & output
alert_fast = { }
unified2 = { }
unified2.limit = 0
unified2.units = B
unified2.nostamp = false
unified2.mpls_event_types = true
unified2.vlan_event_types = true

output = { }
output.verbose = true
output.quiet = false
output.dump_payload = true
output.dump_payload_verbose =ture

---------------------command--------------------------------------

[root at ...196... ~]# snort -i eno16777736 -c /usr/local/etc/snort/snort.lua -R /etc/snort/rules -l /var/log/snort/ -K text -d -v -e

--------------------------------------------------
o")~ Snort++ 3.0.0-a1-130
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
back_orifice
classifications
output
alert_fast
stream_tcp
ftp_data
unified2
ftp_server
http_inspect
telnet
port_scan
rpc_decode
arp_spoof
perf_monitor
stream_ip
stream
ftp_client
stream_icmp
references
stream_udp
wizard
Finished /usr/local/etc/snort/snort.lua.
Loading rules:
Loading /etc/snort/rules:
Finished /etc/snort/rules.
Finished rules.
Wizard
back_orifice
arpspoof configured
Stream5 TCP Policy config:
Reassembly Policy: LAST
Timeout: 30 seconds
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Require 3-Way Handshake: NO
Stream IP config:
Timeout: 60 seconds
Defrag engine config:
engine-based policy: LINUX
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Max frags: 8192
Max overlaps: 0
Min fragment Length: 0
Stream5 ICMP config:
Timeout: 30 seconds
Stream5 UDP config:
Timeout: 30 seconds
Ignore Any -> Any Rules: NO
ftp_client:
Check for Bounce Attacks: OFF
Check for Telnet Cmds: OFF
Ignore Telnet Cmd Operations: OFF
Max Response Length: -1
ftp_server:
Check for Telnet Cmds: ON
Ignore Telnet Cmd Operations: ON
Identify open data channels: YES
Check for Encrypted Traffic: ON
Continue to check encrypted data: NO
HttpInspect Config:
GLOBAL CONFIG
Detect Proxy Usage: NO
IIS Unicode Map Filename: (null)
IIS Unicode Map Codepage: 1252
Memcap used for logging URI and Hostname: 150994944
Max Gzip Memory: 838860
Max Gzip sessions: 5825
Gzip Compress Depth: 65535
Gzip Decompress Depth: 65535
DEFAULT SERVER CONFIG:
Server profile: All
Server Flow Depth: 0
Client Flow Depth: 0
Max Chunk Length: 500000
Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
Max Header Field Length: 750
Max Number Header Fields: 100
Max Number of WhiteSpaces allowed with header folding: 200
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Inspect HTTP Cookies: YES
Inspect HTTP Responses: YES
Unlimited decompression of gzip data from responses: YES
Normalize Javascripts in HTTP Responses: YES
Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
Normalize HTTP Cookies: NO
Enable XFF and True Client IP: NO
Extended ASCII code support in URI: NO
Log HTTP URI data: NO
Log HTTP Hostname data: NO
Extract Gzip from responses: YES
Ascii: OFF
Double Decoding: OFF
%U Encoding: ON
Bare Byte: OFF
UTF 8: OFF
IIS Unicode: OFF
Multiple Slash: OFF
IIS Backslash: OFF
Directory Traversal: OFF
Web Root Traversal: OFF
Apache WhiteSpace: OFF
IIS Delimiter: OFF
IIS Unicode Map: NOT CONFIGURED
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
TELNET CONFIG:
Are You There Threshold: -1
Normalize: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
rpc_decode
Portscan Detection Config:
Detect Protocols:
Detect Scan Type:
Sensitivity Level:
Memcap (in bytes): 1048576
Number of Nodes: 0
PerfMonitor config:
Sample Time: 1 seconds
Packet Count: 1
Max File Size: 2147483647
Base Stats: ACTIVE (SUMMARY)
Base Stats File: INACTIVE
Max Perf Stats: INACTIVE
Flow Stats: INACTIVE (SUMMARY)
Event Stats: INACTIVE (SUMMARY)
Flow IP Stats: INACTIVE (SUMMARY)
Console Mode: ACTIVE
Binder
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] eno16777736

----------------------------------ll /var/log/snort/-----------------------------
[root at ...196... ~]# ll /var/log/snort/
total 40
-rw-r--r--. 1 root root 0 Jan 14 02:05 barnyard2.waldo
-rw-------. 1 root root 37516 Jan 15 23:18 log.pcap
-rw-------. 1 root root 0 Jan 15 23:16 unified2log.u2.1421381779
-rw-------. 1 root root 0 Jan 16 01:11 unified2log.u2.1421388663
[root at ...196... ~]#

--------------------------------------------rules -------------------------------------
[root at ...196... ~]# cat /etc/snort/rules/local.rules
# Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------
# LOCAL RULES
#-------------

alert icmp any any -> any any (msg:"icmp"; itype:8; sid:100000; rev:1;)
alert tcp any any -> any any (msg:"tcp"; sid:"1000001";)


[root at ...196... ~]#


---------------------------------------------------------------------------




블로그서명
시작했다면 끝을 보아라
자기소개를 입력하세요.



블로그서명

[블로그]<http://blog.naver.com/pji5732.do> 시작했다면 끝을 보아라<http://blog.naver.com/pji5732.do>
자기소개를 입력하세요.<http://blog.naver.com/pji5732.do>
[http://mail.naver.com/readReceipt/notify/?img=SeKqFqkG1NgqFouqhAnZFoM%2FKxv%2FFrJ0Kqv%2FaAb%2Fpou9K6u%2FFo2daxu%2FFuIo%2Br3T%2Br%2FmKLl5WLl51zlqDBFdp6d5MreRhoRqW4eZ%2BV9vpBp0WuIn1BFdbZlqWXkZMrk4WXiNpLl5pBt%3D.gif]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150118/ba872988/attachment.html>


More information about the Snort-devel mailing list