[Snort-users] No Alerts in Windows w/ Snort 2.20 RC1

Mike mike at ...12183...
Mon Jul 26 21:33:02 EDT 2004


Thanks for the suggestions, I tried it with nothing but bin\snort.exe -c
etc\snort.conf

And it still didn't pick up any of my attempts.  I did leave snort running
for quite awhile however, and it logged 8 things all the same basically(ips
removed):
[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
07/26-23:19:00.987642 123.123.123.123:1680 -> 123.123.123.123:135
TCP TTL:119 TOS:0x0 ID:14235 IpLen:20 DgmLen:284 DF
***AP*** Seq: 0x7800A201  Ack: 0xC2E6D411  Win: 0x21FC  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

But this server is getting many attacks, and these are all it picks up.   It
seemed to load the rules so I don't know what I'm missing.

> -----Original Message-----
> From: Michael Steele [mailto:michaels at ...9077...]
> Sent: Monday, July 26, 2004 10:20 PM
> To: mike at ...4308...; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] No Alerts in Windows w/ Snort 2.20 RC1
> 
> Remove all the extra switches and find out which one is causing the
> problem;
> my guess would be the -A
> 
> Kindest regards,
> Michael...
> 
> WINSNORT.com Management Team Member
> --
> Pick up your FREE Windows or UNIX Snort installation guides
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of mike at ...4308...
> > Sent: Monday, July 26, 2004 3:36 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] No Alerts in Windows w/ Snort 2.20 RC1
> >
> > I finally got snort to seem to run fine, however no alerts are being
> > generated when it should be. All there is, is the log file with 0 size.
> > The
> > config file is very similar to the config file I use on my linux boxes
> and
> > they all work perfectly.  I am not sure what could be wrong.  I saw a
> > previous set of messages on the list dealing with logging to an sql
> > database
> > and no alerts, so i am not sure if it is related but that one seemed
> > unresolved (at least in the archives).
> >
> > The following are the specs:
> > Windows Server 2003 Standard
> > Dual XEON 3ghz CPUS (w/ hyperthreading)
> > 2 Gigs of Ram
> > Intel(R) PRO/1000 MT Network Connection
> > Snort 2.20 RC1 - http://www.snort.org/dl/binaries/win32/snort-
> 2_2_0RC1.exe
> > WinPcap 3.0 - http://winpcap.polito.it/install/bin/WinPcap_3_0.exe
> >    (Tried latest however gave a dll entry error, saw thread that said
> this
> > works)
> > LibnetNT the included version
> >    (Tried 'upgrading' from url of:
> > http://www.eeye.com/html/Research/Tools/libnetnt.html, however saw no
> > difference minus a runtime error when i killed snort)
> >
> > My command line is:
> > C:\Snort\bin\snort.exe -c "C:\snort\etc\snort.conf" -l "C:\snort\Log" -A
> > full -i 1 -d -e -X
> >
> > I also tried:
> > bin\snort -c c:\snort\etc\snort.conf -A console -b
> >
> > but it doesn't show any alerts to the console or to file.  It is
> > definately
> > seeing lots of packets, and I can even see it getting the attack packet
> I
> > send:
> > 0x0000: 00 C0 9F 3F 13 53 00 03 31 C5 CC 00 08 00 45 00
...?.S..1.....E.
> > 0x0010: 00 A2 A0 F4 40 00 32 06 26 DB 42 4F BC A0 43 13
.... at ...2484...&.BO..C.
> > 0x0020: 3E 84 D5 89 00 50 A9 11 B7 52 E9 0F 27 90 80 18
>....P...R..'...
> > 0x0030: 16 D0 F3 AC 00 00 01 01 08 0A 0F 42 17 A8 00 00
...........B....
> > 0x0040: 00 00 47 45 54 20 2F 63 6D 64 2E 65 78 65 20 48  ..GET /cmd.exe
> H
> > 0x0050: 54 54 50 2F 31 2E 30 0D 0A 55 73 65 72 2D 41 67  TTP/1.0..User-
> Ag
> > 0x0060: 65 6E 74 3A 20 57 67 65 74 2F 31 2E 38 2E 32 0D  ent:
Wget/1.8.2.
> >
> > However no alert.  My rule files are in unix file format, however i
> > switched
> > one to PC and it still didn't pick anything up.
> >
> > For when I run snort with the -A console the output is:
> > Running in IDS mode
> > Log directory = log
> >
> > Initializing Network Interface
> > \Device\NPF_{66C08459-44B6-49F8-B602-E9E0D2731745}
> >
> >         --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Decoding Ethernet on interface
> > \Device\NPF_{66C08459-44B6-49F8-B602-E9E0D2731745}
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file c:\snort\etc\snort.conf
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > ,-----------[Flow Config]----------------------
> > | Stats Interval:  0
> > | Hash Method:     2
> > | Memcap:          10485760
> > | Rows  :          4099
> > | Overhead Bytes:  16400(%0.16)
> > `----------------------------------------------
> > No arguments to frag2 directive, setting defaults to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> >     Fragment min_ttl:   0
> >     Fragment ttl_limit: 5
> >     Fragment Problems: 0
> >     Self preservation threshold: 500
> >     Self preservation period: 90
> >     Suspend threshold: 1000
> >     Suspend period: 30
> > Stream4 config:
> >     Stateful inspection: ACTIVE
> >     Session statistics: INACTIVE
> >     Session timeout: 30 seconds
> >     Session memory cap: 8388608 bytes
> >     State alerts: INACTIVE
> >     Evasion alerts: INACTIVE
> >     Scan alerts: INACTIVE
> >     Log Flushed Streams: INACTIVE
> >     MinTTL: 1
> >     TTL Limit: 5
> >     Async Link: 0
> >     State Protection: 0
> >     Self preservation threshold: 50
> >     Self preservation period: 90
> >     Suspend threshold: 200
> >     Suspend period: 30
> > Stream4_reassemble config:
> >     Server reassembly: INACTIVE
> >     Client reassembly: ACTIVE
> >     Reassembler alerts: ACTIVE
> >     Zero out flushed packets: INACTIVE
> >     flush_data_diff_size: 500
> >     Ports: 21 23 25 53 80 110 111 143 513 1433
> >     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> > HttpInspect Config:
> >     GLOBAL CONFIG
> >       Max Pipeline Requests:    0
> >       Inspection Type:          STATELESS
> >       Detect Proxy Usage:       NO
> >       IIS Unicode Map Filename: c:\snort\etc\unicode.map
> >       IIS Unicode Map Codepage: 1252
> >     DEFAULT SERVER CONFIG:
> >       Ports: 80 8080 8180
> >       Flow Depth: 300
> >       Max Chunk Length: 500000
> >       Inspect Pipeline Requests: YES
> >       URI Discovery Strict Mode: NO
> >       Allow Proxy Usage: NO
> >       Disable Alerting: NO
> >       Oversize Dir Length: 500
> >       Only inspect URI: NO
> >       Ascii: YES alert: NO
> >       Double Decoding: YES alert: YES
> >       %U Encoding: YES alert: YES
> >       Bare Byte: YES alert: YES
> >       Base36: OFF
> >       UTF 8: OFF
> >       IIS Unicode: YES alert: YES
> >       Multiple Slash: YES alert: NO
> >       IIS Backslash: YES alert: NO
> >       Directory Traversal: YES alert: NO
> >       Web Root Traversal: YES alert: YES
> >       Apache WhiteSpace: YES alert: YES
> >       IIS Delimiter: YES alert: YES
> >       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> >       Non-RFC Compliant Characters: NONE
> > rpc_decode arguments:
> >     Ports to decode RPC on: 111 32771
> >     alert_fragments: INACTIVE
> >     alert_large_fragments: ACTIVE
> >     alert_incomplete: ACTIVE
> >     alert_multiple_requests: ACTIVE
> > telnet_decode arguments:
> >     Ports to decode telnet on: 21 23 25 119
> > 1768 Snort rules read...
> > 1768 Option Chains linked into 241 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> >
> > +-----------------------[thresholding-config]---------------------------
> --
> > --
> > ---
> > | memory-cap : 1048576 bytes
> > +-----------------------[thresholding-global]---------------------------
> --
> > --
> > ---
> > | none
> > +-----------------------[thresholding-local]----------------------------
> --
> > --
> > ---
> > | gen-id=1      sig-id=2495      type=Both       tracking=dst count=20
> > seconds=60
> > | gen-id=1      sig-id=2494      type=Both       tracking=dst count=20
> > seconds=60
> > | gen-id=1      sig-id=2496      type=Both       tracking=dst count=20
> > seconds=60
> > | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5
> > seconds=60
> > | gen-id=1      sig-id=2523      type=Both       tracking=dst count=10
> > seconds=10
> > +-----------------------[suppression]-----------------------------------
> --
> > --
> > ---
> > ------------------------------------------------------------------------
> --
> > --
> > ---
> > Rule application order: ->activation->dynamic->alert->pass->log
> >
> >         --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 2.2.0RC1-ODBC-MySQL-FlexRESP-WIN32 (Build 28)
> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> > 1.7-WIN32 Port By Michael Davis (mike at ...92...,
> > www.datanerds.net/~mike)
> > 1.8 - 2.x WIN32 Port By Chris Reid (chris.reid at ...3029...)
> > Snort received 36 packets
> >     Analyzed: 36(100.000%)
> >     Dropped: 0(0.000%)
> >
> ==========================================================================
> > ==
> > ===
> > Breakdown by protocol:
> >     TCP: 21         (58.333%)
> >     UDP: 4          (11.111%)
> >    ICMP: 2          (5.556%)
> >     ARP: 0          (0.000%)
> >   EAPOL: 0          (0.000%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 4          (11.111%)
> > DISCARD: 0          (0.000%)
> >
> ==========================================================================
> > ==
> > ===
> > Action Stats:
> > ALERTS: 0
> > LOGGED: 0
> > PASSED: 0
> >
> ==========================================================================
> > ==
> > ===
> > TCP Stream Reassembly Stats:
> >     TCP Packets Used: 12         (33.333%)
> >     Stream Trackers: 1
> >     Stream flushes: 0
> >     Segments used: 0
> >     Stream4 Memory Faults: 0
> >
> ==========================================================================
> > ==
> > ===
> > Final Flow Statistics
> > pcap_loop: read error: PacketReceivePacket failed
> > ,----[ FLOWCACHE STATS ]----------
> > Memcap: 10485760 Overhead Bytes 16400 used(%0.161858)/blocks (16972/5)
> > Overhead blocks: 1 Could Hold: (73326)
> > IPV4 count: 4 frees: 0 low_time: 1090880204, high_time: 1090880208,
diff:
> > 0h:00:04s
> >     finds: 17 reversed: 0(%0.000000)
> >     find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows:
> 4
> >  Protocol: 1 (%5.882353) finds: 1  reversed: 0(%0.000000)
> >   find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 1
> >  Protocol: 6 (%70.000000) finds: 14  reversed: 0(%0.000000)
> >   find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 1
> >  Protocol: 17 (%25.000000) finds: 5  reversed: 0(%0.000000)
> >   find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 2
> >
> >
> >
> >
> >
> > The snort.conf file
> >
> > #--------------------------------------------------
> > #   http://www.snort.org     Snort 2.1.0 Ruleset
> > #     Contact: snort-sigs at lists.sourceforge.net
> > #--------------------------------------------------
> > # $Id: snort.conf,v 1.142 2004/03/20 21:58:42 cazz Exp $
> > #
> > ###################################################
> > # This file contains a sample snort configuration.
> > # You can take the following steps to create your own custom
> > configuration:
> > #
> > #  1) Set the network variables for your network
> > #  2) Configure preprocessors
> > #  3) Configure output plugins
> > #  4) Customize your rule set
> > #
> > ###################################################
> > # Step #1: Set the network variables:
> > #
> > # You must change the following variables to reflect your local network.
> > The
> > # variable is currently setup for an RFC 1918 address space.
> > #
> > # You can specify it explicitly as:
> > #
> > # var HOME_NET 10.1.1.0/24
> > #
> > # or use global variable $<interfacename>_ADDRESS which will be always
> > # initialized to IP address and netmask of the network interface which
> you
> > run
> > # snort at.  Under Windows, this must be specified as
> > # $(<interfacename>_ADDRESS), such as:
> > # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> > #
> > # var HOME_NET $eth0_ADDRESS
> > #
> > # You can specify lists of IP addresses for HOME_NET
> > # by separating the IPs with commas like this:
> > #
> > # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> > #
> > # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> > #
> > # or you can specify the variable to be any IP address
> > # like this:
> >
> > var HOME_NET any
> >
> > # Set up the external network addresses as well.  A good start may be
> > "any"
> > var EXTERNAL_NET any
> >
> > # Configure your server lists.  This allows snort to only look for
> attacks
> > to
> > # systems that have a service up.  Why look for HTTP attacks if you are
> > not
> > # running a web server?  This allows quick filtering based on IP
> addresses
> > # These configurations MUST follow the same configuration scheme as
> > defined
> > # above for $HOME_NET.
> >
> > # List of DNS servers on your network
> > var DNS_SERVERS $HOME_NET
> >
> > # List of SMTP servers on your network
> > var SMTP_SERVERS $HOME_NET
> >
> > # List of web servers on your network
> > var HTTP_SERVERS $HOME_NET
> >
> > # List of sql servers on your network
> > var SQL_SERVERS $HOME_NET
> >
> > # List of telnet servers on your network
> > var TELNET_SERVERS $HOME_NET
> >
> > # List of snmp servers on your network
> > var SNMP_SERVERS $HOME_NET
> >
> > # Configure your service ports.  This allows snort to look for attacks
> > destined
> > # to a specific application only on the ports that application runs on.
> > For
> > # example, if you run a web server on port 8081, set your HTTP_PORTS
> > variable
> > # like this:
> > #
> > # var HTTP_PORTS 8081
> > #
> > # Port lists must either be continuous [eg 80:8080], or a single port
> [eg
> > 80].
> > # We will adding support for a real list of ports in the future.
> >
> > # Ports you run web servers on
> > #
> > # Please note:  [80,8080] does not work.
> > # If you wish to define multiple HTTP ports,
> > #
> > ## var HTTP_PORTS 80
> > ## include somefile.rules
> > ## var HTTP_PORTS 8080
> > ## include somefile.rules
> > var HTTP_PORTS 80
> >
> > # Ports you want to look for SHELLCODE on.
> > var SHELLCODE_PORTS !80
> >
> > # Ports you do oracle attacks on
> > var ORACLE_PORTS 1521
> >
> > # other variables
> > #
> > # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
> > # modifying the signatures when they do, we add them to this list of
> > servers.
> > var AIM_SERVERS
> >
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64
> > .1
> > 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> >
> > # Path to your rules files (this can be a relative path)
> > var RULE_PATH c:\snort\rules
> >
> > # Configure the snort decoder
> > # ============================
> > #
> > # Snort's decoder will alert on lots of things such as header
> > # truncation or options of unusual length or infrequently used tcp
> options
> > #
> > #
> > # Stop generic decode events:
> > #
> > # config disable_decode_alerts
> > #
> > # Stop Alerts on experimental TCP options
> > #
> > config disable_tcpopt_experimental_alerts
> > #
> > # Stop Alerts on obsolete TCP options
> > #
> > config disable_tcpopt_obsolete_alerts
> > #
> > # Stop Alerts on T/TCP alerts
> > #
> > # In snort 2.0.1 and above, this only alerts when a TCP option is
> detected
> > # that shows T/TCP being actively used on the network.  If this is
> normal
> > # behavior for your network, disable the next option.
> > #
> > # config disable_tcpopt_ttcp_alerts
> > #
> > # Stop Alerts on all other TCPOption type events:
> > #
> > config disable_tcpopt_alerts
> > #
> > # Stop Alerts on invalid ip options
> > #
> > # config disable_ipopt_alerts
> >
> > # Configure the detection engine
> > # ===============================
> > #
> > # Use a different pattern matcher in case you have a machine with very
> > limited
> > # resources:
> > #
> > # config detection: search-method lowmem
> >
> > ###################################################
> > # Step #2: Configure preprocessors
> > #
> > # General configuration for preprocessors is of
> > # the form
> > # preprocessor <name_of_processor>: <configuration_options>
> >
> > # Configure Flow tracking module
> > # -------------------------------
> > #
> > # The Flow tracking module is meant to start unifying the state keeping
> > # mechanisms of snort into a single place. Right now, only a portscan
> > detector
> > # is implemented but in the long term,  many of the stateful subsystems
> of
> > # snort will be migrated over to becoming flow plugins. This must be
> > enabled
> > # for flow-portscan to work correctly.
> > #
> > # See README.flow for additional information
> > #
> > preprocessor flow: stats_interval 0 hash 2
> >
> > # frag2: IP defragmentation support
> > # -------------------------------
> > # This preprocessor performs IP defragmentation.  This plugin will also
> > detect
> > # people launching fragmentation attacks (usually DoS) against hosts.
> No
> > # arguments loads the default configuration of the preprocessor, which
> is
> > a
> > 60
> > # second timeout and a 4MB fragment buffer.
> >
> > # The following (comma delimited) options are available for frag2
> > #    timeout [seconds] - sets the number of [seconds] that an unfinished
> > #                        fragment will be kept around waiting for
> > completion,
> > #                        if this time expires the fragment will be
> flushed
> > #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> > #                      (default:  4194304)
> > #
> > #    min_ttl [number] - minimum ttl to accept
> > #
> > #    ttl_limit [number] - difference of ttl to accept without alerting
> > #                         will cause false positves with router flap
> > #
> > # Frag2 uses Generator ID 113 and uses the following SIDS
> > # for that GID:
> > #  SID     Event description
> > # -----   -------------------
> > #   1       Oversized fragment (reassembled frag > 64k bytes)
> > #   2       Teardrop-type attack
> >
> > preprocessor frag2
> >
> > # stream4: stateful inspection/stream reassembly for Snort
> > #----------------------------------------------------------------------
> > # Use in concert with the -z [all|est] command line switch to defeat
> > stick/snot
> > # against TCP rules.  Also performs full TCP stream reassembly, stateful
> > # inspection of TCP streams, etc.  Can statefully detect various
> portscan
> > # types, fingerprinting, ECN, etc.
> >
> > # stateful inspection directive
> > # no arguments loads the defaults (timeout 30, memcap 8388608)
> > # options (options are comma delimited):
> > #   detect_scans - stream4 will detect stealth portscans and generate
> > alerts
> > #                  when it sees them when this option is set
> > #   detect_state_problems - detect TCP state problems, this tends to be
> > very
> > #                           noisy because there are a lot of crappy ip
> > stack
> > #                           implementations out there
> > #
> > #   disable_evasion_alerts - turn off the possibly noisy mitigation of
> > #                            overlapping sequences.
> > #
> > #
> > #   min_ttl [number]       - set a minium ttl that snort will accept to
> > #                            stream reassembly
> > #
> > #   ttl_limit [number]     - differential of the initial ttl on a
> session
> > versus
> > #                             the normal that someone may be playing
> > games.
> > #                             Routing flap may cause lots of false
> > positives.
> > #
> > #   keepstats [machine|binary] - keep session statistics, add "machine"
> to
> > #                         get them in a flat format for machine reading,
> > add
> > #                         "binary" to get them in a unified binary
> output
> > #                         format
> > #   noinspect - turn off stateful inspection only
> > #   timeout [number] - set the session timeout counter to [number]
> > seconds,
> > #                      default is 30 seconds
> > #   memcap [number] - limit stream4 memory usage to [number] bytes
> > #   log_flushed_streams - if an event is detected on a stream this
> option
> > will
> > #                         cause all packets that are stored in the
> stream4
> > #                         packet buffers to be flushed to disk.  This
> only
> > #                         works when logging in pcap mode!
> > #
> > # Stream4 uses Generator ID 111 and uses the following SIDS
> > # for that GID:
> > #  SID     Event description
> > # -----   -------------------
> > #   1       Stealth activity
> > #   2       Evasive RST packet
> > #   3       Evasive TCP packet retransmission
> > #   4       TCP Window violation
> > #   5       Data on SYN packet
> > #   6       Stealth scan: full XMAS
> > #   7       Stealth scan: SYN-ACK-PSH-URG
> > #   8       Stealth scan: FIN scan
> > #   9       Stealth scan: NULL scan
> > #   10      Stealth scan: NMAP XMAS scan
> > #   11      Stealth scan: Vecna scan
> > #   12      Stealth scan: NMAP fingerprint scan stateful detect
> > #   13      Stealth scan: SYN-FIN scan
> > #   14      TCP forward overlap
> >
> > preprocessor stream4: disable_evasion_alerts detect_scans  ttl_limit 6
> >
> > # tcp stream reassembly directive
> > # no arguments loads the default configuration
> > #   Only reassemble the client,
> > #   Only reassemble the default list of ports (See below),
> > #   Give alerts for "bad" streams
> > #
> > # Available options (comma delimited):
> > #   clientonly - reassemble traffic for the client side of a connection
> > only
> > #   serveronly - reassemble traffic for the server side of a connection
> > only
> > #   both - reassemble both sides of a session
> > #   noalerts - turn off alerts from the stream reassembly stage of
> stream4
> > #   ports [list] - use the space separated list of ports in [list],
> "all"
> > #                  will turn on reassembly for all ports, "default" will
> > turn
> > #                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
> > 111
> > #                  and 513
> >
> > preprocessor stream4_reassemble
> >
> > # http_inspect: normalize and detect HTTP traffic and protocol anomalies
> > #
> > # lots of options available here. See doc/README.http_inspect.
> > # unicode.map should be wherever your snort.conf lives, or given
> > # a full path to where snort can find it.
> > preprocessor http_inspect: global \
> >     iis_unicode_map unicode.map 1252
> >
> > preprocessor http_inspect_server: server default \
> >     profile all ports { 80 8080 8180 } oversize_dir_length 500
> >
> > #
> > #  Example unqiue server configuration
> > #
> > #preprocessor http_inspect_server: server 1.1.1.1 \
> > #    ports { 80 3128 8080 } \
> > #    flow_depth 0 \
> > #    ascii no \
> > #    double_decode yes \
> > #    non_rfc_char { 0x00 } \
> > #    chunk_length 500000 \
> > #    non_strict \
> > #    oversize_dir_length 300 \
> > #    no_alerts
> >
> >
> > # rpc_decode: normalize RPC traffic
> > # ---------------------------------
> > # RPC may be sent in alternate encodings besides the usual 4-byte
> encoding
> > # that is used by default. This plugin takes the port numbers that RPC
> > # services are running on as arguments - it is assumed that the given
> > ports
> > # are actually running this type of service. If not, change the ports or
> > turn
> > # it off.
> > # The RPC decode preprocessor uses generator ID 106
> > #
> > # arguments: space separated list
> > # alert_fragments - alert on any rpc fragmented TCP data
> > # no_alert_multiple_requests - don't alert when >1 rpc query is in a
> > packet
> > # no_alert_large_fragments - don't alert when the fragmented
> > #                            sizes exceed the current packet size
> > # no_alert_incomplete - don't alert when a single segment
> > #                       exceeds the current packet size
> >
> > preprocessor rpc_decode: 111 32771
> >
> > # bo: Back Orifice detector
> > # -------------------------
> > # Detects Back Orifice traffic on the network.  Takes no arguments in
> 2.0.
> > #
> > # The Back Orifice detector uses Generator ID 105 and uses the
> > # following SIDS for that GID:
> > #  SID     Event description
> > # -----   -------------------
> > #   1       Back Orifice traffic detected
> >
> > preprocessor bo
> >
> > # telnet_decode: Telnet negotiation string normalizer
> > # ---------------------------------------------------
> > # This preprocessor "normalizes" telnet negotiation strings from telnet
> > and
> > ftp
> > # traffic.  It works in much the same way as the http_decode
> preprocessor,
> > # searching for traffic that breaks up the normal data stream of a
> > protocol
> > and
> > # replacing it with a normalized representation of that traffic so that
> > the
> > # "content" pattern matching keyword can work without requiring
> > modifications.
> > # This preprocessor requires no arguments.
> > # Portscan uses Generator ID 109 and does not generate any SID
currently.
> >
> > preprocessor telnet_decode
> >
> > # Flow-Portscan: detect a variety of portscans
> > # ---------------------------------------
> > # Note:  The Flow preprocessor (above) must first be enabled for
> > Flow-Portscan to
> > # work.
> > #
> > # This module detects portscans based off of flow creation in the flow
> > # preprocessors.  The goal is to catch catch one->many hosts and one-
> >many
> > # ports scans.
> > #
> > # Flow-Portscan has numerous options available, please read
> > # README.flow-portscan for help configuring this option.
> >
> > # Flow-Portscan uses Generator ID 121 and uses the following SIDS for
> that
> > GID:
> > #  SID     Event description
> > # -----   -------------------
> > #   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
> > #   2       flow-portscan: Sliding Scale Scanner Limit Exceeded
> > #   3       flow-portscan: Fixed Scale Talker Limit Exceeded
> > #   4	    flow-portscan: Sliding Scale Talker Limit Exceeded
> >
> > # preprocessor flow-portscan: \
> > #	talker-sliding-scale-factor 0.50 \
> > #	talker-fixed-threshold 30 \
> > #	talker-sliding-threshold 30 \
> > #	talker-sliding-window 20 \
> > #	talker-fixed-window 30 \
> > #	scoreboard-rows-talker 30000 \
> > #	server-watchnet [10.2.0.0/30] \
> > #	server-ignore-limit 200 \
> > #	server-rows 65535 \
> > #	server-learning-time 14400 \
> > #	server-scanner-limit 4 \
> > #	scanner-sliding-window 20 \
> > #	scanner-sliding-scale-factor 0.50 \
> > #	scanner-fixed-threshold 15 \
> > #	scanner-sliding-threshold 40 \
> > #	scanner-fixed-window 15 \
> > #	scoreboard-rows-scanner 30000 \
> > #	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
> > #	dst-ignore-net [10.0.0.0/30] \
> > #	alert-mode once \
> > #	output-mode msg \
> > #	tcp-penalties on
> >
> > # arpspoof
> > #----------------------------------------
> > # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
> > # unicast ARP requests, and specific ARP mapping monitoring.  To make
> use
> > of
> > # this preprocessor you must specify the IP and hardware address of
> hosts
> > on
> > # the same layer 2 segment as you.  Specify one host IP MAC combo per
> > line.
> > # Also takes a "-unicast" option to turn on unicast ARP request
> detection.
> > # Arpspoof uses Generator ID 112 and uses the following SIDS for that
> GID:
> >
> > #  SID     Event description
> > # -----   -------------------
> > #   1       Unicast ARP request
> > #   2       Etherframe ARP mismatch (src)
> > #   3       Etherframe ARP mismatch (dst)
> > #   4       ARP cache overwrite attack
> >
> > #preprocessor arpspoof
> > #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> >
> >
> > # Performance Statistics
> > # ----------------------
> > # Documentation for this is provided in the Snort Manual.  You should
> read
> > it.
> > # It is included in the release distribution as doc/snort_manual.pdf
> > #
> > # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> > 10000
> >
> > ####################################################################
> > # Step #3: Configure output plugins
> > #
> > # Uncomment and configure the output plugins you decide to use.  General
> > # configuration for output plugins is of the form:
> > #
> > # output <name_of_plugin>: <configuration_options>
> > #
> > # alert_syslog: log alerts to syslog
> > # ----------------------------------
> > # Use one or more syslog facilities as arguments.  Win32 can also
> > optionally
> > # specify a particular hostname/port.  Under Win32, the default hostname
> > is
> > # '127.0.0.1', and the default port is 514.
> > #
> > # [Unix flavours should use this format...]
> > # output alert_syslog: LOG_AUTH LOG_ALERT
> > #
> > # [Win32 can use any of these formats...]
> > # output alert_syslog: LOG_AUTH LOG_ALERT
> > # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> > # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> >
> > # log_tcpdump: log packets in binary tcpdump format
> > # -------------------------------------------------
> > # The only argument is the output file name.
> > #
> > # output log_tcpdump: tcpdump.log
> >
> > # database: log to a variety of databases
> > # ---------------------------------------
> > # See the README.database file for more information about configuring
> > # and using this plugin.
> > #
> > # output database: log, mysql, user=root password=test dbname=db
> > host=localhost
> > # output database: alert, postgresql, user=snort dbname=snort
> > # output database: log, odbc, user=snort dbname=snort
> > # output database: log, mssql, dbname=snort user=snort password=test
> > # output database: log, oracle, dbname=snort user=snort password=test
> > # unified: Snort unified binary format alerting and logging
> > # -------------------------------------------------------------
> > # The unified output plugin provides two new formats for logging and
> > generating
> > # alerts from Snort, the "unified" format.  The unified format is a
> > straight
> > # binary format for logging data out of Snort that is designed to be
> fast
> > and
> > # efficient.  Used with barnyard (the new alert/log processor), most of
> > the
> > # overhead for logging and alerting to various slow storage mechanisms
> > such
> > as
> > # databases or the network can now be avoided.
> > #
> > # Check out the spo_unified.h file for the data formats.
> > #
> > # Two arguments are supported.
> > #    filename - base filename to write to (current time_t is appended)
> > #    limit    - maximum size of spool file in MB (default: 128)
> > #
> > # output alert_unified: filename snort.alert, limit 128
> > # output log_unified: filename snort.log, limit 128
> >
> > # You can optionally define new rule types and associate one or more
> > output
> > # plugins specifically to that type.
> > #
> > # This example will create a type that will log to just tcpdump.
> > # ruletype suspicious
> > # {
> > #   type log
> > #   output log_tcpdump: suspicious.log
> > # }
> > #
> > # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> > # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
> > Server";)
> > #
> > # This example will create a rule type that will log to syslog and a
> mysql
> > # database:
> > # ruletype redalert
> > # {
> > #   type alert
> > #   output alert_syslog: LOG_AUTH LOG_ALERT
> > #   output database: log, mysql, user=snort dbname=snort host=localhost
> > # }
> > #
> > # EXAMPLE RULE FOR REDALERT RULETYPE:
> > # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
> > #   (msg:"Someone is being LEET"; flags:A+;)
> >
> > #
> > # Include classification & priority settings
> > #
> >
> > include classification.config
> >
> > #
> > # Include reference systems
> > #
> >
> > include reference.config
> >
> > ####################################################################
> > # Step #4: Customize your rule set
> > #
> > # Up to date snort rules are available at http://www.snort.org
> > #
> > # The snort web site has documentation about how to write your own
> custom
> > snort
> > # rules.
> > #
> > # The rules included with this distribution generate alerts based on on
> > # suspicious activity. Depending on your network environment, your
> > security
> > # policies, and what you consider to be suspicious, some of these rules
> > may
> > # either generate false positives ore may be detecting activity you
> > consider
> > to
> > # be acceptable; therefore, you are encouraged to comment out rules that
> > are
> > # not applicable in your environment.
> > #
> > # The following individuals contributed many of rules in this
> > distribution.
> > #
> > # Credits:
> > #   Ron Gula <rgula at ...922...> of Network Security Wizards
> > #   Max Vision <vision at ...4...>
> > #   Martin Markgraf <martin at ...923...>
> > #   Fyodor Yarochkin <fygrave at ...121...>
> > #   Nick Rogness <nick at ...176...>
> > #   Jim Forster <jforster at ...176...>
> > #   Scott McIntyre <scott at ...315...>
> > #   Tom Vandepoel <Tom.Vandepoel at ...271...>
> > #   Brian Caswell <bmc at ...950...>
> > #   Zeno <admin at ...4494...>
> > #   Ryan Russell <ryan at ...35...>
> >
> >
> >
> > #=========================================
> > # Include all relevant rulesets here
> > #
> > # The following rulesets are disabled by default:
> > #
> > #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
> > virus,
> > #   chat, multimedia, and p2p
> > #
> > # These rules are either site policy specific or require tuning in order
> > to
> > not
> > # generate false positive alerts in most enviornments.
> > #
> > # Please read the specific include file for more information and
> > # README.alert_order for how rule ordering affects how alerts are
> > triggered.
> > #=========================================
> >
> > include $RULE_PATH/local.rules
> > include $RULE_PATH/bad-traffic.rules
> > include $RULE_PATH/exploit.rules
> > include $RULE_PATH/scan.rules
> > include $RULE_PATH/finger.rules
> > include $RULE_PATH/ftp.rules
> > include $RULE_PATH/telnet.rules
> > include $RULE_PATH/rpc.rules
> > include $RULE_PATH/rservices.rules
> > include $RULE_PATH/dos.rules
> > include $RULE_PATH/ddos.rules
> > include $RULE_PATH/dns.rules
> > include $RULE_PATH/tftp.rules
> >
> > include $RULE_PATH/web-cgi.rules
> > include $RULE_PATH/web-coldfusion.rules
> > include $RULE_PATH/web-iis.rules
> > include $RULE_PATH/web-frontpage.rules
> > include $RULE_PATH/web-misc.rules
> > include $RULE_PATH/web-client.rules
> > include $RULE_PATH/web-php.rules
> >
> > include $RULE_PATH/sql.rules
> > include $RULE_PATH/x11.rules
> > include $RULE_PATH/icmp.rules
> > include $RULE_PATH/netbios.rules
> > include $RULE_PATH/misc.rules
> > include $RULE_PATH/attack-responses.rules
> > include $RULE_PATH/oracle.rules
> > include $RULE_PATH/mysql.rules
> > include $RULE_PATH/snmp.rules
> >
> > include $RULE_PATH/smtp.rules
> > include $RULE_PATH/imap.rules
> > include $RULE_PATH/pop2.rules
> > include $RULE_PATH/pop3.rules
> >
> > include $RULE_PATH/nntp.rules
> > include $RULE_PATH/other-ids.rules
> > include $RULE_PATH/web-attacks.rules
> > include $RULE_PATH/backdoor.rules
> > include $RULE_PATH/shellcode.rules
> > include $RULE_PATH/policy.rules
> > include $RULE_PATH/porn.rules
> > include $RULE_PATH/info.rules
> > include $RULE_PATH/icmp-info.rules
> > include $RULE_PATH/virus.rules
> > include $RULE_PATH/chat.rules
> > include $RULE_PATH/multimedia.rules
> > include $RULE_PATH/p2p.rules
> > include $RULE_PATH/experimental.rules
> >
> > # Include any thresholding or suppression commands. See threshold.conf
> in
> > the
> > # <snort src>/etc directory for details. Commands don't necessarily need
> > to
> > be
> > # contained in this conf, but a separate conf makes it easier to
> maintain
> > them.
> > # Uncomment if needed.
> > # include threshold.conf
> > config event_queue: log 2
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by BEA Weblogic Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 






More information about the Snort-users mailing list