No subject


Thu Nov 23 16:31:58 EST 2017


my @snort_cmd = ('snort', '-A' => 'fast',
                 '-b',                                # binary logging
                 '-c' => "current/rules.$net_block",    # conf file
                 '-D',                          # Daemon mode
                 '-g' => 'snort',
                 '-i' => "$interface",
                 '-l' => "$log_directory/$sensor_site/$current_date/".
                         "$current_datehour/$net_block",
                 '-m' => 0002,
                 '-o',                          # pass, alert, log...
                 '-U',                          # times UTC
                 '-u' => 'snort',
                 '-X',
                 );

and the second run:

system('snort', '-U',
                '-A', 'full',
		-c', "/home/snort/snort-rules/current/rules.$net_block",
		'd',
                '-e',
                '-h', "$net_block/$net_width",
		'-l', "$log_directory/$sensor_site/$previous_date/".
                                      "$previous_datehour/$net_block",
		'-r', "$log_directory-raw/$sensor_site/$previous_date/".
                      "$previous_datehour/$net_block/$file"
       );
       
 and here is the snort.conf file used for both runs:

var HOME_NET [130.216.0.0/16,202.37.88.0/24]

var EXTERNAL_NET any

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.1\88.9.0/24]

var RULE_PATH /home/snort/snort-rules/current

preprocessor frag2

preprocessor stream4 : disable_evasion_alerts, ttl_limit 5,
log_flushed_streams

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode    
iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771

preprocessor bo: -nobrute

preprocessor telnet_decode

include classification.config

include reference.config

As an aside I notice that other stuff gets lost this way in particular
alerts from the stream4 preprocessor even though I am using
log_flushed_streams.

Cheers, Russell.
     
-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list