[Snort-users] Snort windows help

Razia Mir razptcl at ...131...
Wed Jul 28 21:39:02 EDT 2004


 I have worked on snort in linux environment but using it in windows environment for the first time.I am getting the error message and am confused because I don't know what is wrong. I have reinstalled the snort and changed the path but still the same message
 
C:\Snort\bin>snort -A full -c C:\Snort\etc\snort.conf -l C:\Snort\log
Running in IDS mode
Log directory = C:\Snort\log
Initializing Network Interface \Device\NPF_{E2D99213-90AE-44FD-AE62-52B6887D36AB
}
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_{E2D99213-90AE-44FD-AE62-52B6887D36AB
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file C:\Snort\etc\snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Unable to open rules file: C:\Snort\etc\snort.conf or C:\Snort\etc\C:\Sno
rt\etc\snort.conf
Fatal Error, Quitting..
 
My snort.conf file looks like this
 

#--------------------------------------------------

# http://www.snort.org Snort 2.1.0 Ruleset

# Contact: snort-sigs at lists.sourceforge.net

#--------------------------------------------------

# $Id: snort.conf,v 1.141 2004/02/20 17:27:29 cazz Exp $

#

###################################################

# This file contains a sample snort configuration. 

# You can take the following steps to create your own custom configuration:

#

# 1) Set the network variables for your network

# 2) Configure preprocessors

# 3) Configure output plugins

# 4) Customize your rule set

#

###################################################

# Step #1: Set the network variables:

#

# You must change the following variables to reflect your local network. The

# variable is currently setup for an RFC 1918 address space.

#

# You can specify it explicitly as: 

#

# var HOME_NET 10.1.1.0/24

#

# or use global variable $<interfacename>_ADDRESS which will be always

# initialized to IP address and netmask of the network interface which you run

# snort at. Under Windows, this must be specified as

# $(<interfacename>_ADDRESS), such as:

# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)

#

# var HOME_NET $eth0_ADDRESS

#

# You can specify lists of IP addresses for HOME_NET

# by separating the IPs with commas like this:

#

# var HOME_NET [10.1.1.0/24,192.168.1.0/24]

#

# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!

#

# or you can specify the variable to be any IP address

# like this:

var HOME_NET any

# Set up the external network addresses as well. A good start may be "any"

var EXTERNAL_NET any

# Configure your server lists. This allows snort to only look for attacks to

# systems that have a service up. Why look for HTTP attacks if you are not

# running a web server? This allows quick filtering based on IP addresses

# These configurations MUST follow the same configuration scheme as defined

# above for $HOME_NET. 

# List of DNS servers on your network 

var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network

var SMTP_SERVERS $HOME_NET

# List of web servers on your network

var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 

var SQL_SERVERS $HOME_NET

# List of telnet servers on your network

var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network

var SNMP_SERVERS $HOME_NET

# Configure your service ports. This allows snort to look for attacks destined

# to a specific application only on the ports that application runs on. For

# example, if you run a web server on port 8081, set your HTTP_PORTS variable

# like this:

#

# var HTTP_PORTS 8081

#

# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].

# We will adding support for a real list of ports in the future.

# Ports you run web servers on

#

# Please note: [80,8080] does not work.

# If you wish to define multiple HTTP ports,

# 

## var HTTP_PORTS 80 

## include somefile.rules 

## var HTTP_PORTS 8080

## include somefile.rules 

var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.

var SHELLCODE_PORTS !80

# Ports you do oracle attacks on

var ORACLE_PORTS 1521

# other variables

# 

# AIM servers. AOL has a habit of adding new AIM servers, so instead of

# modifying the signatures when they do, we add them to this list of servers.

var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)

var RULE_PATH c:\Snort\rules

# Configure the snort decoder

# ============================

#

# Snort's decoder will alert on lots of things such as header

# truncation or options of unusual length or infrequently used tcp options

#

#

# Stop generic decode events:

#

# config disable_decode_alerts

#

# Stop Alerts on experimental TCP options

#

# config disable_tcpopt_experimental_alerts

#

# Stop Alerts on obsolete TCP options

#

# config disable_tcpopt_obsolete_alerts

#

# Stop Alerts on T/TCP alerts

#

# In snort 2.0.1 and above, this only alerts when a TCP option is detected

# that shows T/TCP being actively used on the network. If this is normal

# behavior for your network, disable the next option.

#

# config disable_tcpopt_ttcp_alerts

#

# Stop Alerts on all other TCPOption type events:

#

# config disable_tcpopt_alerts

#

# Stop Alerts on invalid ip options

#

# config disable_ipopt_alerts

# Configure the detection engine

# ===============================

#

# Use a different pattern matcher in case you have a machine with very limited

# resources:

#

# config detection: search-method lowmem

###################################################

# Step #2: Configure preprocessors

#

# General configuration for preprocessors is of 

# the form

# preprocessor <name_of_processor>: <configuration_options>

# Configure Flow tracking module

# -------------------------------

#

# The Flow tracking module is meant to start unifying the state keeping

# mechanisms of snort into a single place. Right now, only a portscan detector

# is implemented but in the long term, many of the stateful subsystems of

# snort will be migrated over to becoming flow plugins. This must be enabled

# for flow-portscan to work correctly.

#

# See README.flow for additional information

#

preprocessor flow: stats_interval 0 hash 2

# frag2: IP defragmentation support

# -------------------------------

# This preprocessor performs IP defragmentation. This plugin will also detect

# people launching fragmentation attacks (usually DoS) against hosts. No

# arguments loads the default configuration of the preprocessor, which is a 60

# second timeout and a 4MB fragment buffer. 

# The following (comma delimited) options are available for frag2

# timeout [seconds] - sets the number of [seconds] that an unfinished 

# fragment will be kept around waiting for completion,

# if this time expires the fragment will be flushed

# memcap [bytes] - limit frag2 memory usage to [number] bytes

# (default: 4194304)

#

# min_ttl [number] - minimum ttl to accept

# 

# ttl_limit [number] - difference of ttl to accept without alerting

# will cause false positves with router flap

# 

# Frag2 uses Generator ID 113 and uses the following SIDS 

# for that GID:

# SID Event description

# ----- -------------------

# 1 Oversized fragment (reassembled frag > 64k bytes)

# 2 Teardrop-type attack

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort

#----------------------------------------------------------------------

# Use in concert with the -z [all|est] command line switch to defeat stick/snot

# against TCP rules. Also performs full TCP stream reassembly, stateful

# inspection of TCP streams, etc. Can statefully detect various portscan

# types, fingerprinting, ECN, etc.

# stateful inspection directive

# no arguments loads the defaults (timeout 30, memcap 8388608)

# options (options are comma delimited):

# detect_scans - stream4 will detect stealth portscans and generate alerts

# when it sees them when this option is set

# detect_state_problems - detect TCP state problems, this tends to be very

# noisy because there are a lot of crappy ip stack

# implementations out there

#

# disable_evasion_alerts - turn off the possibly noisy mitigation of

# overlapping sequences.

#

#

# min_ttl [number] - set a minium ttl that snort will accept to

# stream reassembly

#

# ttl_limit [number] - differential of the initial ttl on a session versus

# the normal that someone may be playing games.

# Routing flap may cause lots of false positives.

# 

# keepstats [machine|binary] - keep session statistics, add "machine" to 

# get them in a flat format for machine reading, add

# "binary" to get them in a unified binary output 

# format

# noinspect - turn off stateful inspection only

# timeout [number] - set the session timeout counter to [number] seconds,

# default is 30 seconds

# memcap [number] - limit stream4 memory usage to [number] bytes

# log_flushed_streams - if an event is detected on a stream this option will

# cause all packets that are stored in the stream4

# packet buffers to be flushed to disk. This only 

# works when logging in pcap mode!

#

# Stream4 uses Generator ID 111 and uses the following SIDS 

# for that GID:

# SID Event description

# ----- -------------------

# 1 Stealth activity

# 2 Evasive RST packet

# 3 Evasive TCP packet retransmission

# 4 TCP Window violation

# 5 Data on SYN packet

# 6 Stealth scan: full XMAS

# 7 Stealth scan: SYN-ACK-PSH-URG

# 8 Stealth scan: FIN scan

# 9 Stealth scan: NULL scan

# 10 Stealth scan: NMAP XMAS scan

# 11 Stealth scan: Vecna scan

# 12 Stealth scan: NMAP fingerprint scan stateful detect

# 13 Stealth scan: SYN-FIN scan

# 14 TCP forward overlap

preprocessor stream4: disable_evasion_alerts

# tcp stream reassembly directive

# no arguments loads the default configuration 

# Only reassemble the client,

# Only reassemble the default list of ports (See below), 

# Give alerts for "bad" streams

#

# Available options (comma delimited):

# clientonly - reassemble traffic for the client side of a connection only

# serveronly - reassemble traffic for the server side of a connection only

# both - reassemble both sides of a session

# noalerts - turn off alerts from the stream reassembly stage of stream4

# ports [list] - use the space separated list of ports in [list], "all" 

# will turn on reassembly for all ports, "default" will turn

# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111

# and 513

preprocessor stream4_reassemble

# http_inspect: normalize and detect HTTP traffic and protocol anomalies

#

# lots of options available here. See doc/README.http_inspect.

# unicode.map should be wherever your snort.conf lives, or given

# a full path to where snort can find it.

preprocessor http_inspect: global \

iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \

profile all ports { 80 8080 8180 } oversize_dir_length 500

#

# Example unqiue server configuration

#

#preprocessor http_inspect_server: server 1.1.1.1 \

# ports { 80 3128 8080 } \

# flow_depth 0 \

# ascii no \

# double_decode yes \

# non_rfc_char { 0x00 } \

# chunk_length 500000 \

# non_strict \

# oversize_dir_length 300 \

# no_alerts

 

# rpc_decode: normalize RPC traffic

# ---------------------------------

# RPC may be sent in alternate encodings besides the usual 4-byte encoding

# that is used by default. This plugin takes the port numbers that RPC

# services are running on as arguments - it is assumed that the given ports

# are actually running this type of service. If not, change the ports or turn

# it off.

# The RPC decode preprocessor uses generator ID 106

#

# arguments: space separated list

# alert_fragments - alert on any rpc fragmented TCP data

# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet

# no_alert_large_fragments - don't alert when the fragmented

# sizes exceed the current packet size

# no_alert_incomplete - don't alert when a single segment

# exceeds the current packet size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector

# -------------------------

# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.

# 

# The Back Orifice detector uses Generator ID 105 and uses the 

# following SIDS for that GID:

# SID Event description

# ----- -------------------

# 1 Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer

# ---------------------------------------------------

# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp

# traffic. It works in much the same way as the http_decode preprocessor,

# searching for traffic that breaks up the normal data stream of a protocol and

# replacing it with a normalized representation of that traffic so that the

# "content" pattern matching keyword can work without requiring modifications.

# This preprocessor requires no arguments.

# Portscan uses Generator ID 109 and does not generate any SID currently.

preprocessor telnet_decode

# Flow-Portscan: detect a variety of portscans

# ---------------------------------------

# Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to

# work.

#

# This module detects portscans based off of flow creation in the flow

# preprocessors. The goal is to catch catch one->many hosts and one->many

# ports scans.

#

# Flow-Portscan has numerous options available, please read

# README.flow-portscan for help configuring this option. 

# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:

# SID Event description

# ----- -------------------

# 1 flow-portscan: Fixed Scale Scanner Limit Exceeded

# 2 flow-portscan: Sliding Scale Scanner Limit Exceeded 

# 3 flow-portscan: Fixed Scale Talker Limit Exceeded

# 4 flow-portscan: Sliding Scale Talker Limit Exceeded

# preprocessor flow-portscan: \

# talker-sliding-scale-factor 0.50 \

# talker-fixed-threshold 30 \

# talker-sliding-threshold 30 \

# talker-sliding-window 20 \

# talker-fixed-window 30 \

# scoreboard-rows-talker 30000 \

# server-watchnet [10.2.0.0/30] \

# server-ignore-limit 200 \

# server-rows 65535 \

# server-learning-time 14400 \

# server-scanner-limit 4 \

# scanner-sliding-window 20 \

# scanner-sliding-scale-factor 0.50 \

# scanner-fixed-threshold 15 \

# scanner-sliding-threshold 40 \

# scanner-fixed-window 15 \

# scoreboard-rows-scanner 30000 \

# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \

# dst-ignore-net [10.0.0.0/30] \

# alert-mode once \

# output-mode msg \

# tcp-penalties on

# arpspoof

#----------------------------------------

# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,

# unicast ARP requests, and specific ARP mapping monitoring. To make use of

# this preprocessor you must specify the IP and hardware address of hosts on

# the same layer 2 segment as you. Specify one host IP MAC combo per line.

# Also takes a "-unicast" option to turn on unicast ARP request detection. 

# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:

# SID Event description

# ----- -------------------

# 1 Unicast ARP request

# 2 Etherframe ARP mismatch (src)

# 3 Etherframe ARP mismatch (dst)

# 4 ARP cache overwrite attack

#preprocessor arpspoof

#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

 

# Performance Statistics

# ----------------------

# Documentation for this is provided in the Snort Manual. You should read it.

# It is included in the release distribution as doc/snort_manual.pdf

# 

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

####################################################################

# Step #3: Configure output plugins

#

# Uncomment and configure the output plugins you decide to use. General

# configuration for output plugins is of the form:

#

# output <name_of_plugin>: <configuration_options>

#

# alert_syslog: log alerts to syslog

# ----------------------------------

# Use one or more syslog facilities as arguments. Win32 can also optionally

# specify a particular hostname/port. Under Win32, the default hostname is

# '127.0.0.1', and the default port is 514.

#

# [Unix flavours should use this format...]

# output alert_syslog: LOG_AUTH LOG_ALERT

#

# [Win32 can use any of these formats...]

# output alert_syslog: LOG_AUTH LOG_ALERT

# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT

# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format

# -------------------------------------------------

# The only argument is the output file name.

output alert_fast: alert.ids

# output log_tcpdump: tcpdump.log

# database: log to a variety of databases

# ---------------------------------------

# See the README.database file for more information about configuring

# and using this plugin.

#

# output database: log, mysql, user=root password=test dbname=db host=localhost

# output database: alert, postgresql, user=snort dbname=snort

# output database: log, odbc, user=snort dbname=snort

# output database: log, mssql, dbname=snort user=snort password=test

# output database: log, oracle, dbname=snort user=snort password=test

# unified: Snort unified binary format alerting and logging

# -------------------------------------------------------------

# The unified output plugin provides two new formats for logging and generating

# alerts from Snort, the "unified" format. The unified format is a straight

# binary format for logging data out of Snort that is designed to be fast and

# efficient. Used with barnyard (the new alert/log processor), most of the

# overhead for logging and alerting to various slow storage mechanisms such as

# databases or the network can now be avoided. 

#

# Check out the spo_unified.h file for the data formats.

#

# Two arguments are supported.

# filename - base filename to write to (current time_t is appended)

# limit - maximum size of spool file in MB (default: 128)

#

# output alert_unified: filename snort.alert, limit 128

# output log_unified: filename snort.log, limit 128

# You can optionally define new rule types and associate one or more output

# plugins specifically to that type.

#

# This example will create a type that will log to just tcpdump.

# ruletype suspicious

# {

# type log

# output log_tcpdump: suspicious.log

# }

#

# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:

# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)

#

# This example will create a rule type that will log to syslog and a mysql

# database:

# ruletype redalert

# {

# type alert

# output alert_syslog: LOG_AUTH LOG_ALERT

# output database: log, mysql, user=snort dbname=snort host=localhost

# }

#

# EXAMPLE RULE FOR REDALERT RULETYPE:

# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \

# (msg:"Someone is being LEET"; flags:A+;)

#

# Include classification & priority settings

#

include c:\Snort\etc\classification.config

#

# Include reference systems

#

include c:\Snort\etc\reference.config

####################################################################

# Step #4: Customize your rule set

#

# Up to date snort rules are available at http://www.snort.org

#

# The snort web site has documentation about how to write your own custom snort

# rules.

#

# The rules included with this distribution generate alerts based on on

# suspicious activity. Depending on your network environment, your security

# policies, and what you consider to be suspicious, some of these rules may

# either generate false positives ore may be detecting activity you consider to

# be acceptable; therefore, you are encouraged to comment out rules that are

# not applicable in your environment.

#

# The following individuals contributed many of rules in this distribution.

#

# Credits:

# Ron Gula <rgula at ...922...> of Network Security Wizards

# Max Vision <vision at ...4...>

# Martin Markgraf <martin at ...923...>

# Fyodor Yarochkin <fygrave at ...121...>

# Nick Rogness <nick at ...176...>

# Jim Forster <jforster at ...176...>

# Scott McIntyre <scott at ...315...>

# Tom Vandepoel <Tom.Vandepoel at ...271...>

# Brian Caswell <bmc at ...950...>

# Zeno <admin at ...4494...>

# Ryan Russell <ryan at ...35...>

 

 

#=========================================

# Include all relevant rulesets here 

# 

# The following rulesets are disabled by default:

#

# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,

# chat, multimedia, and p2p

# 

# These rules are either site policy specific or require tuning in order to not

# generate false positive alerts in most enviornments.

# 

# Please read the specific include file for more information and

# README.alert_order for how rule ordering affects how alerts are triggered.

#=========================================

#include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

# include $RULE_PATH/web-attacks.rules

# include $RULE_PATH/backdoor.rules

# include $RULE_PATH/shellcode.rules

# include $RULE_PATH/policy.rules

# include $RULE_PATH/porn.rules

# include $RULE_PATH/info.rules

# include $RULE_PATH/icmp-info.rules

# include $RULE_PATH/virus.rules

# include $RULE_PATH/chat.rules

# include $RULE_PATH/multimedia.rules

# include $RULE_PATH/p2p.rules

#include $RULE_PATH/experimental.rules

# Include any thresholding or suppression commands. See threshold.conf in the

# <snort src>/etc directory for details. Commands don't necessarily need to be

# contained in this conf, but a separate conf makes it easier to maintain them. 

# Uncomment if needed.

# include threshold.conf

 

Thanks for any help.




		
---------------------------------
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040728/089fdab7/attachment.html>


More information about the Snort-users mailing list