[Snort-users] Snort and Guardian

Michele Sibau michele at ...3742...
Wed Oct 10 03:42:06 EDT 2001


Hallo,
        excuse me if i'm boring you with my question...
        the problem is that i can't make Guardian work for me
        i can't understand how to produce the snort.alert file
        i can get only a 0917 at ...3743... file but guardian doesn't
work(i've also tried to rename it but... )
        can you give me some ideas ?
        thank you very much since now for your patience !
        Michele

        I'm using snort Version 1.8.1-RELEASE (Build 74)
        and Guardian with this lines in the conf file..

        # Snort's alert file.
        alertFile       /var/log/snort/snort.alert

        the /var/log/snort looks like this
        0816 at ...3744...  0820 at ...3745...
0822 at ...3746...     portscan.log
        0817 at ...3747...  0821 at ...3748...  0822 at ...3749...
        0817 at ...3750...  0821 at ...3751...  0822 at ...3752...
        0820 at ...3753...  0821 at ...3754...  0917 at ...3743...
        0820 at ...3755...  0822 at ...3756...  0917 at ...3757...

        due the snort conf file

        #-------------------------------------------------
        #   http://www.snort.org     Snort 1.8.0 Ruleset
        #     Contact: snort-sigs at lists.sourceforge.net
        #--------------------------------------------------
        # NOTE:This ruleset only works for 1.8.0 and later
        #--------------------------------------------------
        # $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $
        #
        ###################################################
        # This file contains a sample snort configuration.
        # You can take the following steps to create your
        # own custom configuration:
        #
        #  1) Set the network variables for your network
        #  2) Configure preprocessors
        #  3) Configure output plugins
        #  4) Customize your rule set
        #
        ###################################################
        # Step #1: Set the network variables:
        #
        # You must change the following variables to reflect
        # your local network. The variable is currently
        # setup for an RFC 1918 address space.
        #
        # You can specify it explicitly as:
        #
        # var HOME_NET 10.1.0.0/24
        #
        # or use global variable $<interfacename>_ADDRESS
        # which will be always initialized to IP address and
        # netmask of the network interface which you run
        # snort at.
        #
        # var HOME_NET $eth0_ADDRESS
        #
        # You can specify lists of IP addresses for HOME_NET
        # by separating the IPs with commas like this:
        #
        # var HOME_NET 10.1.0.0/24]
        #
        # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
        #
        # or you can specify the variable to be any IP address
        # like this:

        var HOME_NET any

        # Set up the external network addresses as well.
        # A good start may be "any"

        var EXTERNAL_NET any

        # Set up your SMTP servers, or simply configure them
        # to HOME_NET

        var SMTP $HOME_NET

        # Set up your web servers, or simply configure them
        # to HOME_NET

        var HTTP_SERVERS $HOME_NET

        # Set up your sql servers, or simply configure them
        # to HOME_NET

        var SQL_SERVERS $HOME_NET

  # Define the addresses of DNS servers and other hosts
  # if you want to ignore portscan false alarms from them...

        var DNS_SERVERS $HOME_NET

        ###################################################
        # Step #2: Configure preprocessors
        #
        # General configuration for preprocessors is of
        # the form
        # preprocessor <name_of_processor>: <configuration_options>

        # minfrag: detect small fragments
        # -------------------------------
        # minfrag has been deprecated as of build 26

        # defrag: defragmentation support
        # -------------------------------
        # IP defragmentation support from Dragos Ruiu. There
        # are no configuration options at this time.

        #preprocessor defrag
        preprocessor frag2

        # stream2: TCP stream reassembly
        # -------------------------------------
        # TCP stream reassembly preprocessor from Chris Cramer.
        # This preprocessor should always go after the defrag
        # preprocessor, but before application layer decoders.
        # The example below monitors ports 23 and 80, has a
        # timeout after 10 seconds, and will send reassembled
        # packets of max payload 16384 bytes through the
        # detection engine. See README.tcpstream for more
        # information and configuration options. Uncomment
        # the following line and configure appropriately to
        # enable this preprocessor.
        #
        # NOTE: This code should still be considered BETA!
        # It seems to be stable, but there are still some
        # issues that remain to be resolved, so make sure you
        # keep an eye on your Snort sensor if you enable this plugin
        # The older version which definitely had issues w/ packet
        # loss is still in the code base, to use it in place of the
        # new version, use "preprocessor stream: ..."

        #preprocessor stream2: timeout 10, ports 21 23 80 110 143,
maxbytes 16384

        # stream4: stateful inspection/stream reassembly for Snort

#----------------------------------------------------------------------
        # Use in concert with the -z [all|est] command line switch to
defeat
        # stick/snot against TCP rules.  Also performs full TCP stream
        # reassembly, stateful inspection of TCP streams, etc.  Can
statefully
        # detect various portscan types, fingerprinting, ECN, etc.

        # stateful inspection directive
        # no arguments loads the defaults (timeout 30, memcap 8MB)
        # options (options are comma delimited):
        #   detect_scans - stream4 will detect stealth portscans and
generate alerts
        #                  when it sees them when this option is set
        #   detect_state_problems - detect TCP state problems, this
tends to be very
        #                           noisy because there are a lot of
crappy ip stack
        #                           implementations out there
        #   keepstats [machine] - keep session statistics, add "machine"
to get them in
        #                         a flat format for machine reading
        #   noinspect - turn off stateful inspection only
        #   timeout [number] - set the session timeout counter to
[number] seconds,
        #                      default is 30 seconds
        #   memcap [number] - limit stream4 memory usage to [number]
bytes

        preprocessor stream4: detect_scans

        # tcp stream reassembly directive
        # no arguments loads the default configuration (clientonly,
ports default,
        # alerts on)
        # options (still comma delimited):
        #   clientonly - reassemble traffic for the client side of a
connection only
        #   serveronly - reassemble traffic for the server side of a
connection only
        #   both - reassemble both sides of a session
        #   noalerts - turn off alerts from the stream reassembly stage
of stream4
        #   ports [list] - use the space separated list of ports in
[list], "all"
        #                  will turn on reassembly for all ports,
"default" will turn
        #                  on reassembly for ports 21, 23, 25, 53, 80,
143, 110, 111
        #                  and 513

        preprocessor stream4_reassemble

        # http_decode: normalize HTTP requests
        # ------------------------------------
        # http_decode normalizes HTTP requests from remote
        # machines by converting any %XX character
        # substitutions to their ASCII equivalent. This is
        # very useful for doing things like defeating hostile
        # attackers trying to stealth themselves from IDSs by
        # mixing these substitutions in with the request.
        # Specify the port numbers you want it to analyze as arguments.
        # You may also specify -unicode to turn off detection of
        # UNICODE directory traversal, etc attacks.  Use -cginull to
        # turn off detection of CGI NULL code attacks.

        preprocessor http_decode: 80 -unicode -cginull

        # unidecode: normalize HTTP/detect UNICODE attacks
        # ------------------------------------------------
        # Works much the same as http_decode, but does a better
        # job of categorizing and identifying UNICODE attacks,
        # recommended as a potential replacement for http_decode.

        # preprocessor unidecode: 80 -unicode -cginull

        # rpc_decode: normalize RPC traffic
        # ---------------------------------
        # RPC may be sent in alternate encodings besides the usual
        # 4-byte encoding that is used by default.  This preprocessor
        # normalized RPC traffic in much the same way as the http_decode

        # preprocessor.  This plugin takes the ports numbers that RPC
        # services are running on as arguments.

        preprocessor rpc_decode: 111

        # bo: Back Orifice detector
        # -------------------------
        # Detects Back Orifice traffic on the network.  This
preprocessor
        # uses the Back Orifice "encryption" algorithm to search for
        # traffic conforming to the Back Orifice protocol (not BO2K).
        # This preprocessor can take two arguments.  The first is
"-nobrute"
        # which turns off the plugin's brute forcing routine (brute
forces
        # the key space of the protocol to find BO traffic).  The second

        # argument that can be passed to the routine is a number to use
        # as the default key when trying to decrypt the traffic.  The
        # default value is 31337 (just like BO).  Be aware that turning
on
        # the brute forcing option runs the risk of impacting the
overall
        # performance of Snort, you've been warned...

        preprocessor bo: -nobrute

        # telnet_decode: Telnet negotiation string normalizer
        # ---------------------------------------------------
        # This preprocessor "normalizes" telnet negotiation strings from

        # telnet and ftp traffic.  It works in much the same way as the
        # http_decode preprocessor, searching for traffic that breaks up

        # the normal data stream of a protocol and replacing it with
        # a normalized representation of that traffic so that the
"content"
        # pattern matching keyword can work without requiring
modifications.
        # This preprocessor requires no arguments.

        preprocessor telnet_decode

        # portscan: detect a variety of portscans
        # ---------------------------------------
        # portscan preprocessor by Patrick Mullen <p_mullen at ...245...>

        # This preprocessor detects UDP packets or TCP SYN packets going
to
        # four different ports in less than three seconds. "Stealth" TCP

        # packets are always detected, regardless of these settings.

        preprocessor portscan: $HOME_NET 4 3 portscan.log

        # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans"
from
        # specific networks or hosts to reduce false alerts. It is
typical
        # to see many false alerts from DNS servers so you may want to
        # add your DNS servers here. You can all multiple hosts/networks

        # in a whitespace-delimited list.
        #
        #preprocessor portscan-ignorehosts: $DNS_SERVERS

        # Spade: the Statistical Packet Anomaly Detection Engine
        #-------------------------------------------------------
        # READ the README.Spade file before using this plugin!
        #
        # See http://www.silicondefense.com/spice/ for more info
        #
        # Spade is a Snort plugin to report unusual, possibly
        # suspicious, packets. Spade will review the packets
        # received by Snort, find those of interest (TCP SYNs
        # into your homenets, if any), and report those packets
        # that it believes are anomalous along with an anomaly
        # score.  To enable spp_anomsensor, you must have a
        # line of this form in your snort configuration file:
        #
        # preprocessor spade: <anom-report-thresh> <state-file>
        # <log-file> <prob-mode> <checkpoint-freq>
        #
        # set this to a directory Spade can read and write to
        # store its files
        #
        # var SPADEDIR .
        #
        # preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3
50000
        #
        # put a list of the networks you are interested in Spade
observing packets
        # going to here
        #
        # preprocessor spade-homenet: 0.0.0.0/0
        #
        # this causes Spade to adjust the reporting threshold
automatically
        # the first argument is the target rate of alerts for normal
circumstances
        # (0.01 = 1% or you can give it an hourly rate) after the first
hour (or
        # however long the period is set to in the second argument), the
reporting
        # threshold given above is ignored you can comment this out to
have the
        # threshold be static, or try one of the other adapt methods
below
        # preprocessor spade-adapt3: 0.01 60 168
        #
        # other possible Spade config lines:
        # adapt method #1
        #preprocessor spade-adapt: 20 2 0.5
        # adapt method #2
        #preprocessor spade-adapt2: 0.01 15 4 24 7
        # offline threshold learning
        #preprocessor spade-threshlearn: 200 24
        # periodically report on the anom scores and count of packets
seen
        #preprocessor spade-survey:  $SPADEDIR/survey.txt 60
        # print out known stats about packet feature
        #preprocessor spade-stats: entropy uncondprob condprob

        # arpspoof
        #----------------------------------------
        # Experimental ARP detection code from Jeff Nathan, detects ARP
attacks,
        # directed ARP requests, and specific ARP mapping monitoring.
Takes a
        # "-directed" option to turn on directed ARP request detection.

        # preprocessor arpspoof


####################################################################
        # Step #3: Configure output plugins
        #
        # Uncomment and configure the output plugins you decide to use.
        # General configuration for output plugins is of the form:
        #
        # output <name_of_plugin>: <configuration_options>
        #
        # alert_syslog: log alerts to syslog
        # ----------------------------------
        # Use one or more syslog facilities as arguments

        output alert_syslog: LOG_AUTH LOG_ALERT

        # log_tcpdump: log packets in binary tcpdump format
        # -------------------------------------------------
        # The only argument is the output file name.
        #
        # output log_tcpdump: snort.log

        # database: log to a variety of databases
        # ---------------------------------------
        # See the README.database file for more information about
configuring
        # and using this plugin.
        #
        # output database: log, mysql, user=root password=test dbname=db
host=localhost
        # output database: alert, postgresql, user=snort dbname=snort
        # output database: log, unixodbc, user=snort dbname=snort
        # output database: log, mssql, dbname=snort user=snort
password=test

        # xml: xml logging
        # ----------------
        # See the README.xml file for more information about configuring

        # and using this plugin.
        #
        # output xml: log, file=/var/log/snortxml

        # unified: Snort unified binary format alerting and logging
        # -------------------------------------------------------------
        # The unified output plugin provides two new formats for logging

        # and generating alerts from Snort, the "unified" format.  The
        # unified format is a straight binary format for logging data
        # out of Snort that is designed to be fast and efficient.  Used
        # with the upcoming tool "barnyard", most of the overhead for
        # logging and alerting to various slow storage mechanisms such
        # as databases or the network can now be avoided.
        #
        # Check out the spo_unified.h file for the data formats.
        #
        output alert_unified: snort.alert
        output log_unified: snort.log

        # trap_snmp: SNMP alerting for Snort
        # -------------------------------------------------------------
        # Read the README-SNMP file for more information on enabling and
using this
        # plug-in.
        #
        #
        # The SnmpTrapGenerator outputplugin requires several parameters

        # The parameters depend on the Snmpversion that is used
(specified)
        # For the SNMPv2c case the paremeters will be as follows
        #  alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p
<portNumber>
        #         <hostName> <community>
        #
        # For SNMPv2c traps
        #
        #output trap_snmp: alert, 7, trap -v 2c -p 162  myTrapListener
myCommunity
        #
        # For SNMPv2c informs

        #output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener
myCommunity
        #
        # For SNMPv3 traps with
        # security name = snortUser
        # security level = authentication and privacy
        # authentication parameters :
        #           authentication protocol = SHA ,
        #           authentication pass phrase = SnortAuthPassword
        # privacy (encryption) parameters
        #           privacy protocol = DES,
        #           privacy pass phrase = SnortPrivPassword
        #
        #output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l
authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword
myTrapListener
        #For SNMPv3 informs with authentication and encryption
        #output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l
authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword
        myTrapListener

        # You can optionally define new rule types and associate one or
        # more output plugins specifically to that type.
        #
        # This example will create a type that will log to just tcpdump.

        # ruletype suspicious
        # {
        #   type log
        #   output log_tcpdump: suspicious.log
        # }
        #
        # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
        # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)
        #
        # This example will create a rule type that will log to syslog
        # and a mysql database.
        # ruletype redalert
        # {
        #   type alert
        #   output alert_syslog: LOG_AUTH LOG_ALERT
        #   output database: log, mysql, user=snort dbname=snort
host=localhost
        # }
        #
        # EXAMPLE RULE FOR REDALERT RULETYPE
        # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is
being LEET"; \
        #   flags:A+;)

        #
        # Include classification & priority settings
        #

        include classification.config


####################################################################
        # Step #4: Customize your rule set
        #
        # Up to date snort rules are available at the following web
sites:
        #   http://www.snort.org
        #   http://www.whitehats.com
        #
        # The snort web site has documentation about how to
        # write your own custom snort rules.
        #
        # The rules included with this distribution generate alerts
based on
        # on suspicious activity. Depending on your network environment,
your
        # security policies, and what you consider to be suspicious,
some of
        # these rules may either generate false positives ore may be
detecting
        # activity you consider to be acceptable; therefore, you are
        # encouraged to comment out rules that are not applicable in
your
        # environment.
        #
        # Note that using all of the rules at the same time may lead to
        # serious packet loss on slower machines. YMMV, use with
caution,
        # standard disclaimers apply. :)
        #
        # The following individuals contributed many of rules in this
        # distribution.
        #
        # Credits:
        #   Ron Gula <rgula at ...922...> of Network Security
Wizards
        #   Max Vision <vision at ...4...>
        #   Martin Markgraf <martin at ...923...>
        #   CyberPsychotic <fygrave at ...121...>
        #   Nick Rogness <nick at ...176...>
        #   Jim Forster <jforster at ...176...>
        #   Scott McIntyre <scott at ...315...>
        #   Tom Vandepoel <Tom.Vandepoel at ...271...>
        #   Brian Caswell <bmc at ...312...>

        #=========================================
        # Include all relevant rulesets here
        # by default policy, info, and virus
        # rulesets are disabled
        #=========================================
        include exploit.rules
        include scan.rules
        include finger.rules
        include ftp.rules
        include telnet.rules
        include smtp.rules
        include rpc.rules
        include rservices.rules
        include backdoor.rules
        include dos.rules
        include ddos.rules
        include dns.rules
        include netbios.rules
        include web-cgi.rules
        include web-coldfusion.rules
        include web-frontpage.rules
        include web-iis.rules
        include web-misc.rules
        include sql.rules
        include x11.rules
        include icmp.rules
        include shellcode.rules
        include misc.rules
        include policy.rules
        include info.rules
        include icmp-info.rules
        include virus.rules
        include local.rules






More information about the Snort-users mailing list