[Snort-users] Hi Im new to Snort and I keep getting wierd errors....please help !

Gill, Rob rob.gill at ...7950...
Fri Apr 25 15:05:04 EDT 2003


To all,

 

Thanks in advance for any and all help you give me as I realize I am new to
Snort and some of my statements may seem a bit slow :0).

 

I loaded Snort 2.0 on a win2k pro machine and configured using IDSCenter 1.1
RC2 so the snort.conf looked like this:

 

#--------------------------------------------------

# Snort IDScenter ruleset

# Contact: eclipse at ...5277... / iuk at ...1171...

#--------------------------------------------------

# Generated using IDScenter 1.1 RC2

###################################################

# You can take the following steps to create your

# own custom configuration:

# 1) Set the network variables for your network

# 2) Configure preprocessors

# 3) Configure output plugins

# 4) Customize your rule set

###################################################

 

###################################################

# Step #1: Set the network variables:

# You must change the following variables to reflect

# your local network. The variable is currently

# setup for an RFC 1918 address space.

###################################################

var HOME_NET 130.170.97.0/25

var EXTERNAL_NET any

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH e:\Snort\rules\

 

# frag2: IP defragmentation support

# -------------------------------

# This preprocessor performs IP defragmentation.  This plugin will also
detect

# people launching fragmentation attacks (usually DoS) against hosts.  No

# arguments loads the default configuration of the preprocessor, which is a

# 60 second timeout and a 4MB fragment buffer.

 

# The following (comma delimited) options are available for frag2

#    timeout [seconds] - sets the number of [seconds] than an unfinished

#                        fragment will be kept around waiting for
completion,

#                        if this time expires the fragment will be flushed

#    memcap [bytes] - limit frag2 memory usage to [number] bytes

#                      (default:  4194304)

#

#    min_ttl [number] - minimum ttl to accept

#

#    ttl_limit [number] - difference of ttl to accept without alerting

#                         will cause false positves with router flap

#

# Frag2 uses Generator ID 113 and uses the following SIDS

# for that GID:

#  SID     Event description

# -----   -------------------

#   1       Oversized fragment (reassembled frag > 64k bytes)

#   2       Teardrop-type attack

preprocessor frag2

 

# stream4: stateful inspection/stream reassembly for Snort

#----------------------------------------------------------------------

# Use in concert with the -z [all|est] command line switch to defeat

# stick/snot against TCP rules.  Also performs full TCP stream

# reassembly, stateful inspection of TCP streams, etc.  Can statefully

# detect various portscan types, fingerprinting, ECN, etc.

 

# stateful inspection directive

# no arguments loads the defaults (timeout 30, memcap 8388608)

# options (options are comma delimited):

#   detect_scans - stream4 will detect stealth portscans and generate alerts

#                  when it sees them when this option is set

#   detect_state_problems - detect TCP state problems, this tends to be very

#                           noisy because there are a lot of crappy ip stack

#                           implementations out there

#

#   disable_evasion_alerts - turn off the possibly noisy mitigation of

#                            overlapping sequences.

#

#

#   min_ttl [number]       - set a minium ttl that snort will accept to

#                            stream reassembly

#

#   ttl_limit [number]     - differential of the initial ttl on a session
versus

#                             the normal that someone may be playing games.

#                             Routing flap may cause lots of false
positives.

#

#   keepstats [machine|binary] - keep session statistics, add "machine" to

#                         get them in a flat format for machine reading, add

#                         "binary" to get them in a unified binary output

#                         format

#   noinspect - turn off stateful inspection only

#   timeout [number] - set the session timeout counter to [number] seconds,

#                      default is 30 seconds

#   memcap [number] - limit stream4 memory usage to [number] bytes

#   log_flushed_streams - if an event is detected on a stream this option
will

#                         cause all packets that are stored in the stream4

#                         packet buffers to be flushed to disk.  This only

#                         works when logging in pcap mode!

#

# Stream4 uses Generator ID 111 and uses the following SIDS

# for that GID:

#  SID     Event description

# -----   -------------------

#   1       Stealth activity

#   2       Evasive RST packet

#   3       Evasive TCP packet retransmission

#   4       TCP Window violation

#   5       Data on SYN packet

#   6       Stealth scan: full XMAS

#   7       Stealth scan: SYN-ACK-PSH-URG

#   8       Stealth scan: FIN scan

#   9       Stealth scan: NULL scan

#   10      Stealth scan: NMAP XMAS scan

#   11      Stealth scan: Vecna scan

#   12      Stealth scan: NMAP fingerprint scan stateful detect

#   13      Stealth scan: SYN-FIN scan

#   14      TCP forward overlap

preprocessor stream4: detect_scans

 

# TCP stream reassembly directive

# no arguments loads the default configuration

#   Only reassemble the client,

#   Only reassemble the default list of ports (See below),

#   Give alerts for "bad" streams

 

# Available options (comma delimited):

#   clientonly - reassemble traffic for the client side of a connection only

#   serveronly - reassemble traffic for the server side of a connection only

#   both - reassemble both sides of a session

#   noalerts - turn off alerts from the stream reassembly stage of stream4

#   ports [list] - use the space separated list of ports in [list], "all"

#                  will turn on reassembly for all ports, "default" will
turn

#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111

#                  and 513

preprocessor stream4_reassemble: clientonly

 

# http_decode: normalize HTTP requests

# ------------------------------------

# http_decode normalizes HTTP requests from remote

# machines by converting any %XX character

# substitutions to their ASCII equivalent. This is

# very useful for doing things like defeating hostile

# attackers trying to stealth themselves from IDSs by

# mixing these substitutions in with the request.

# Specify the port numbers you want it to analyze as arguments.

#

# Major code cleanups thanks to rfp

#

# unicode          - normalize unicode

# iis_alt_unicode  - %u encoding from iis

# double_encode    - alert on possible double encodings

# iis_flip_slash   - normalize \ as /

# full_whitespace  - treat \t as whitespace ( for apache )

#

# for that GID:

#  SID     Event description

# -----   -------------------

#   1       UNICODE attack

#   2       NULL byte attack

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

 

# rpc_decode: normalize RPC traffic

# ---------------------------------

# RPC may be sent in alternate encodings besides the usual

# 4-byte encoding that is used by default.  This preprocessor

# normalized RPC traffic in much the same way as the http_decode

# preprocessor.  This plugin takes the ports numbers that RPC

# services are running on as arguments.

# The RPC decode preprocessor uses generator ID 106 and does not

# generate any SIDs at this time.

preprocessor rpc_decode: 111 32771

 

# bo: Back Orifice detector

# -------------------------

# Detects Back Orifice traffic on the network.  This preprocessor

# uses the Back Orifice "encryption" algorithm to search for

# traffic conforming to the Back Orifice protocol (not BO2K).

# This preprocessor can take two arguments.  The first is "-nobrute"

# which turns off the plugin´s brute forcing routine (brute forces

# the key space of the protocol to find BO traffic).  The second

# argument that can be passed to the routine is a number to use

# as the default key when trying to decrypt the traffic.  The

# default value is 31337 (just like BO).  Be aware that turning on

# the brute forcing option runs the risk of impacting the overall

# performance of Snort, you´ve been warned...

# The Back Orifice detector uses Generator ID 105 and uses the

# following SIDS for that GID:

#  SID     Event description

# -----   -------------------

#   1       Back Orifice traffic detected

preprocessor bo: -nobrute

 

# telnet_decode: Telnet negotiation string normalizer

# ---------------------------------------------------

# This preprocessor "normalizes" telnet negotiation strings from

# telnet and ftp traffic.  It works in much the same way as the

# http_decode preprocessor, searching for traffic that breaks up

# the normal data stream of a protocol and replacing it with

# a normalized representation of that traffic so that the "content"

# pattern matching keyword can work without requiring modifications.

# This preprocessor requires no arguments.

# Portscan uses Generator ID 109 and does not generate any SID currently.

preprocessor telnet_decode

 

# portscan: detect a variety of portscans

# ---------------------------------------

# portscan preprocessor by Patrick Mullen <p_mullen at ...245...>

# This preprocessor detects UDP packets or TCP SYN packets going to

# four different ports in less than three seconds. "Stealth" TCP

# packets are always detected, regardless of these settings.

# Portscan uses Generator ID 100 and uses the following SIDS for that GID:

#  SID     Event description

# -----   -------------------

#   1       Portscan detect

#   2       Inter-scan info

#   3       Portscan End

preprocessor portscan: $HOME_NET 10 3 E:\IDScenter\portscan.log

 

# arpspoof

#----------------------------------------

# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,

# unicast ARP requests, and specific ARP mapping monitoring.  To make use

# of this preprocessor you must specify the IP and hardware address of hosts

# on the same layer 2 segment as you.  Specify one host IP MAC combo per
line.

# Also takes a "-unicast" option to turn on unicast ARP request detection.

# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:

#  SID     Event description

# -----   -------------------

#   1       Unicast ARP request

#   2       Etherframe ARP mismatch (src)

#   3       Etherframe ARP mismatch (dst)

#   4       ARP cache overwrite attack

preprocessor arpspoof

 

 

####################################################################

# Step #3: Configure output plugins

#

# General configuration for output plugins is of the form:

#

# output <name_of_plugin>: <configuration_options>

 

####################################################################

# Step #4: Customize your rule set

#

# Up to date snort rules are available at http://www.snort.org

#

# The snort web site has documentation about how to write your own

# custom snort rules.

#

# The rules included with this distribution generate alerts based on

# on suspicious activity. Depending on your network environment, your

# security policies, and what you consider to be suspicious, some of

# these rules may either generate false positives ore may be detecting

# activity you consider to be acceptable; therefore, you are

# encouraged to comment out rules that are not applicable in your

# environment.

#

# Note that using all of the rules at the same time may lead to

# serious packet loss on slower machines. YMMV, use with caution,

# standard disclaimers apply. :)

#

# The following individuals contributed many of rules in this

# distribution.

#

# Credits:

#   Ron Gula <rgula at ...922...> of Network Security Wizards

#   Max Vision <vision at ...4...>

#   Martin Markgraf <martin at ...923...>

#   Fyodor Yarochkin <fygrave at ...121...>

#   Nick Rogness <nick at ...176...>

#   Jim Forster <jforster at ...176...>

#   Scott McIntyre <scott at ...315...>

#   Tom Vandepoel <Tom.Vandepoel at ...271...>

#   Brian Caswell <bmc at ...950...>

#   Zeno <admin at ...4494...>

#   Ryan Russell <ryan at ...35...>

#

#=========================================

# Include all relevant rulesets here

#

# shellcode, policy, info, backdoor, and virus rulesets are

# disabled by default.  These require tuning and maintance.

# Please read the included specific file for more information.

#=========================================

 

# Classification configuration file

include E:\Snort\etc\classification.config

 

# Rule/Signature files:

include E:\Snort\rules\bad-traffic.rules

include E:\Snort\rules\nntp.rules

include E:\Snort\rules\oracle.rules

#include E:\Snort\rules\other-ids.rules

#include E:\Snort\rules\p2p.rules

#include E:\Snort\rules\policy.rules

#include E:\Snort\rules\pop2.rules

include E:\Snort\rules\pop3.rules

include E:\Snort\rules\rpc.rules

include E:\Snort\rules\rservices.rules

include E:\Snort\rules\scan.rules

include E:\Snort\rules\smtp.rules

include E:\Snort\rules\snmp.rules

include E:\Snort\rules\sql.rules

include E:\Snort\rules\telnet.rules

include E:\Snort\rules\virus.rules

include E:\Snort\rules\web-attacks.rules

include E:\Snort\rules\web-cgi.rules

include E:\Snort\rules\web-client.rules

include E:\Snort\rules\web-coldfusion.rules

include E:\Snort\rules\web-php.rules

include E:\Snort\rules\web-frontpage.rules

include E:\Snort\rules\web-misc.rules

include E:\Snort\rules\web-iis.rules

include E:\Snort\rules\porn.rules

include E:\Snort\rules\dos.rules

include E:\Snort\rules\netbios.rules

#include E:\Snort\rules\mysql.rules

#include E:\Snort\rules\multimedia.rules

include E:\Snort\rules\misc.rules

#include E:\Snort\rules\local.rules

#include E:\Snort\rules\info.rules

include E:\Snort\rules\imap.rules

#include E:\Snort\rules\icmp-info.rules

include E:\Snort\rules\ftp.rules

include E:\Snort\rules\finger.rules

include E:\Snort\rules\exploit.rules

#include E:\Snort\rules\experimental.rules

include E:\Snort\rules\deleted.rules

include E:\Snort\rules\dns.rules

include E:\Snort\rules\ddos.rules

include E:\Snort\rules\chat.rules

include E:\Snort\rules\backdoor.rules

include E:\Snort\rules\attack-responses.rules

include E:\Snort\rules\icmp.rules

#include classification.config

 

Unfortunately, when I launch Snort, I keep getting the following messages:

 

04/25-14:47:59.541381  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.11:138 ->
130.170.97.127:138

04/25-14:48:32.840677  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.21:138 ->
130.170.97.127:138

04/25-14:48:34.562718  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.16:138 ->
130.170.97.127:138

04/25-14:48:38.265470  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.21:138 ->
130.170.97.127:138

04/25-14:49:04.954665  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.16:137 ->
130.170.97.127:137

04/25-14:49:15.496007  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.13:138 ->
130.170.97.127:138

04/25-14:49:25.264974  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.15:138 ->
130.170.97.127:138

04/25-14:49:57.660548  [**] [1:1620:3]
<\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC
Non-Standard IP protocol [**] [Classification: Detection of a non-standard
protocol or event] [Priority: 2] {UDP} 130.170.97.15:137 ->
130.170.97.127:137

 

Our broadcast IP for this subnet is 130.170.96.127 (255.255.255.128).  I
know that windows uses port 137 and 138 to do Netbios resolutions....what
did I do wrong that Snort alarms on normal NetBios broadcast resolutions?

 

Thx

 

Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030425/4850737c/attachment.html>


More information about the Snort-users mailing list