[Snort-users] Snort not capturing data

Ravi Verma ravi.verma at ...12525...
Fri Oct 8 08:51:52 EDT 2004


Dear Shawn:

I checked the value for EXTERNAL_NET and it is set to ANY.  Snort  would 
not start if EXTERNAL_NET is not defined. Now the entries in snort.conf 
look  as follows.

var HOME_NET [10.1.0.0/16,10.2.0.0/16,10.4.0.0]

var EXTERNAL_NET !$HOME_NET

Still Snort is not writing any data into mysql.

Regards.

Shawn Kottke wrote:

>Just looking at your snort.conf file it looks like you do not have an
>EXTERNAL_NET variable defined.
>
>Look for this line right below your "var HOME_NET any" line:
># Set up the external network addresses as well.  A good start may be
>"any" var EXTERNAL_NET any
>
>Check to make sure that "var EXTERNAL_NET any" is on a line by itself.
>Looking at what you sent it is on the same line as the remarks line.
>
>Once you better define the HOME_NET variable you will most likely want
>to set the EXTERNAL_NET variable to "!$HOME_NET" (not HOME_NET).
>
>This is a place to start.
>
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ravi Verma
>Sent: Thursday, October 07, 2004 9:07 PM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Snort not capturing data
>
>Dear Friends:
>
>I am new to Snort. I have installed Snort on a Linux machine. I followed
>the Snort Install Manual by (Saint) Patrick Harper and it was fairly
>smooth. 
>
>Unfortunately Snort is not capturing any data. When I login into mysql
>as the snort user, there is 0 records in the events table. I have ACID
>running and that shows 0 sensor. Though the output from the sensor table
>in the snort database has the following output.
>+-----+-------------+-----------+--------+--------+----------+----------
>+
>| sid | hostname    | interface | filter | detail | encoding | last_cid
>|
>+-----+-------------+-----------+--------+--------+----------+----------
>+|
>|   3 | copper:eth0 | eth0      | NULL   |      1 |        0 |        0
>|
>+-----+-------------+-----------+--------+--------+----------+----------
>+
>
>I have put the output of the command  "snort -T -c /etc/snort/snort.conf
>-i eth0 -g snort" and snort.conf file below.
>
>
>I appreciate your help.
>
>Running in IDS mode
>Log directory = /var/log/snort
>
>Initializing Network Interface eth0
>OpenPcap() device eth0 network lookup:
>        eth0: no IPv4 address assigned
>
>        --== Initializing Snort ==--
>Initializing Output Plugins!
>Decoding Ethernet on interface eth0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Parsing Rules file /etc/snort/snort.conf
>
>+++++++++++++++++++++++++++++++++++++++++++++++++++
>Initializing rule chains...
>,-----------[Flow Config]----------------------
>| Stats Interval:  0
>| Hash Method:     2
>| Memcap:          10485760
>| Rows  :          4099
>| Overhead Bytes:  16400(%0.16)
>`----------------------------------------------
>No arguments to frag2 directive, setting defaults to:
>    Fragment timeout: 60 seconds
>    Fragment memory cap: 4194304 bytes
>    Fragment min_ttl:   0
>    Fragment ttl_limit: 5
>    Fragment Problems: 0
>    Self preservation threshold: 500
>    Self preservation period: 90
>    Suspend threshold: 1000
>    Suspend period: 30
>Stream4 config:
>    Stateful inspection: ACTIVE
>    Session statistics: INACTIVE
>    Session timeout: 30 seconds
>    Session memory cap: 8388608 bytes
>    State alerts: INACTIVE
>    Evasion alerts: INACTIVE
>    Scan alerts: INACTIVE
>    Log Flushed Streams: INACTIVE
>    MinTTL: 1
>    TTL Limit: 5
>    Async Link: 0
>    State Protection: 0
>    Self preservation threshold: 50
>    Self preservation period: 90
>    Suspend threshold: 200
>    Suspend period: 30
>Stream4_reassemble config:
>    Server reassembly: INACTIVE
>    Client reassembly: ACTIVE
>    Reassembler alerts: ACTIVE
>    Zero out flushed packets: INACTIVE
>    flush_data_diff_size: 500
>    Ports: 21 23 25 53 80 110 111 143 513 1433
>    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
>rpc_decode arguments:
>    Ports to decode RPC on: 111 32771
>    alert_fragments: INACTIVE
>    alert_large_fragments: ACTIVE
>    alert_incomplete: ACTIVE
>    alert_multiple_requests: ACTIVE
>telnet_decode arguments:
>    Ports to decode telnet on: 21 23 25 119
>database: compiled support for ( mysql )
>database: configured to use mysql
>database:          user = snort
>database: password is set
>database: database name = snort
>database:          host = localhost
>database:   sensor name = copper:eth0
>database:     sensor id = 3
>database: schema version = 106
>database: using the "log" facility
>1864 Snort rules read...
>1864 Option Chains linked into 173 Chain Headers
>0 Dynamic rules
>+++++++++++++++++++++++++++++++++++++++++++++++++++
>
>Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
>
>+-----------------------[thresholding-config]---------------------------
>-------
>| memory-cap : 1048576 bytes
>+-----------------------[thresholding-global]---------------------------
>-------
>| none
>+-----------------------[thresholding-local]----------------------------
>-------
>| gen-id=1      sig-id=2523      type=Both       tracking=dst count=10
>seconds=10
>| gen-id=1      sig-id=2496      type=Both       tracking=dst count=20
>seconds=60
>| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5
>seconds=60
>| gen-id=1      sig-id=2495      type=Both       tracking=dst count=20
>seconds=60
>| gen-id=1      sig-id=2494      type=Both       tracking=dst count=20
>seconds=60
>+-----------------------[suppression]-----------------------------------
>-------
>------------------------------------------------------------------------
>-------
>Rule application order: ->activation->dynamic->alert->pass->log
>
>        --== Initialization Complete ==--
>
>-*> Snort! <*-
>Version 2.2.0 (Build 30)
>By Martin Roesch (roesch at ...1935..., www.snort.org)
>
>Snort sucessfully loaded all rules and checked all rule chains!
>Final Flow Statistics
>,----[ FLOWCACHE STATS ]----------
>Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
>Overhead blocks: 1 Could Hold: (0)
>IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
>    finds: 0 reversed: 0(%0.000000)
>    find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows:
>0
>Snort exiting
>database: Closing connection to database ""
>
>### snort.conf file ####
>#--------------------------------------------------
>#
>#   http://www.snort.org     Snort 2.1.0 Ruleset
>#     Contact: snort-sigs at lists.sourceforge.net
>#--------------------------------------------------
># $Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $ #
>###################################################
># This file contains a sample snort configuration. 
># You can take the following steps to create your own custom
>configuration: # #  1) Set the network variables for your network #  2)
>Configure preprocessors #  3) Configure output plugins #  4) Customize
>your rule set # ###################################################
># Step #1: Set the network variables:
>#
># You must change the following variables to reflect your local network.
>The # variable is currently setup for an RFC 1918 address space. # # You
>can specify it explicitly as: 
>#
># var HOME_NET 10.1.1.0/24
>#
># or use global variable $<interfacename>_ADDRESS which will be always #
>initialized to IP address and netmask of the network interface which you
>run # snort at.  Under Windows, this must be specified as #
>$(<interfacename>_ADDRESS), such as: #
>$(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
>#
># var HOME_NET $eth0_ADDRESS
>#
># You can specify lists of IP addresses for HOME_NET
># by separating the IPs with commas like this:
>#
># var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>#
># MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>#
># or you can specify the variable to be any IP address
># like this:
>
>var HOME_NET any
>
># Set up the external network addresses as well.  A good start may be
>"any" var EXTERNAL_NET any
>
># Configure your server lists.  This allows snort to only look for
>attacks to # systems that have a service up.  Why look for HTTP attacks
>if you are not # running a web server?  This allows quick filtering
>based on IP addresses # These configurations MUST follow the same
>configuration scheme as defined # above for $HOME_NET.  
>
># List of DNS servers on your network 
>var DNS_SERVERS $HOME_NET
>
># List of SMTP servers on your network
>var SMTP_SERVERS $HOME_NET
>
># List of web servers on your network
>var HTTP_SERVERS $HOME_NET
>
># List of sql servers on your network 
>var SQL_SERVERS $HOME_NET
>
># List of telnet servers on your network
>var TELNET_SERVERS $HOME_NET
>
># List of snmp servers on your network
>var SNMP_SERVERS $HOME_NET
>
># Configure your service ports.  This allows snort to look for attacks
>destined # to a specific application only on the ports that application
>runs on.  For # example, if you run a web server on port 8081, set your
>HTTP_PORTS variable # like this: # # var HTTP_PORTS 8081 # # Port lists
>must either be continuous [eg 80:8080], or a single port [eg 80]. # We
>will adding support for a real list of ports in the future.
>
># Ports you run web servers on
>#
># Please note:  [80,8080] does not work.
># If you wish to define multiple HTTP ports,
># 
>## var HTTP_PORTS 80 
>## include somefile.rules 
>## var HTTP_PORTS 8080
>## include somefile.rules 
>var HTTP_PORTS 80
>
># Ports you want to look for SHELLCODE on.
>var SHELLCODE_PORTS !80
>
># Ports you do oracle attacks on
>var ORACLE_PORTS 1521
>
># other variables
># 
># AIM servers.  AOL has a habit of adding new AIM servers, so instead of
># modifying the signatures when they do, we add them to this list of
>servers. var AIM_SERVERS
>[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
>64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>
># Path to your rules files (this can be a relative path)
># Note for Windows users:  You are advised to make this an absolute
>path, # such as:  c:\snort\rules var RULE_PATH /etc/snort
>
># Configure the snort decoder
># ============================
>#
># Snort's decoder will alert on lots of things such as header
># truncation or options of unusual length or infrequently used tcp
>options # # # Stop generic decode events: # # config
>disable_decode_alerts # # Stop Alerts on experimental TCP options # #
>config disable_tcpopt_experimental_alerts
>#
># Stop Alerts on obsolete TCP options
>#
># config disable_tcpopt_obsolete_alerts
>#
># Stop Alerts on T/TCP alerts
>#
># In snort 2.0.1 and above, this only alerts when a TCP option is
>detected # that shows T/TCP being actively used on the network.  If this
>is normal # behavior for your network, disable the next option. # #
>config disable_tcpopt_ttcp_alerts # # Stop Alerts on all other TCPOption
>type events: # # config disable_tcpopt_alerts # # Stop Alerts on invalid
>ip options # # config disable_ipopt_alerts
>
># Configure the detection engine
># ===============================
>#
># Use a different pattern matcher in case you have a machine with very
>limited # resources: # # config detection: search-method lowmem
>
>###################################################
># Step #2: Configure preprocessors
>#
># General configuration for preprocessors is of 
># the form
># preprocessor <name_of_processor>: <configuration_options>
>
># Configure Flow tracking module
># -------------------------------
>#
># The Flow tracking module is meant to start unifying the state keeping
># mechanisms of snort into a single place. Right now, only a portscan
>detector # is implemented but in the long term,  many of the stateful
>subsystems of # snort will be migrated over to becoming flow plugins.
>This must be enabled # for flow-portscan to work correctly. # # See
>README.flow for additional information # preprocessor flow:
>stats_interval 0 hash 2
>
># frag2: IP defragmentation support
># -------------------------------
># This preprocessor performs IP defragmentation.  This plugin will also
>detect # people launching fragmentation attacks (usually DoS) against
>hosts.  No # arguments loads the default configuration of the
>preprocessor, which is a 60 # second timeout and a 4MB fragment buffer. 
>
># The following (comma delimited) options are available for frag2
>#    timeout [seconds] - sets the number of [seconds] that an unfinished
>
>#                        fragment will be kept around waiting for
>completion,
>#                        if this time expires the fragment will be
>flushed
>#    memcap [bytes] - limit frag2 memory usage to [number] bytes
>#                      (default:  4194304)
>#
>#    min_ttl [number] - minimum ttl to accept
># 
>#    ttl_limit [number] - difference of ttl to accept without alerting
>#                         will cause false positves with router flap
># 
># Frag2 uses Generator ID 113 and uses the following SIDS 
># for that GID:
>#  SID     Event description
># -----   -------------------
>#   1       Oversized fragment (reassembled frag > 64k bytes)
>#   2       Teardrop-type attack
>
>preprocessor frag2
>
># stream4: stateful inspection/stream reassembly for Snort
>#----------------------------------------------------------------------
># Use in concert with the -z [all|est] command line switch to defeat
>stick/snot # against TCP rules.  Also performs full TCP stream
>reassembly, stateful # inspection of TCP streams, etc.  Can statefully
>detect various portscan # types, fingerprinting, ECN, etc.
>
># stateful inspection directive
># no arguments loads the defaults (timeout 30, memcap 8388608) # options
>(options are comma delimited):
>#   detect_scans - stream4 will detect stealth portscans and generate
>alerts
>#                  when it sees them when this option is set
>#   detect_state_problems - detect TCP state problems, this tends to be
>very
>#                           noisy because there are a lot of crappy ip
>stack
>#                           implementations out there
>#
>#   disable_evasion_alerts - turn off the possibly noisy mitigation of
>#                            overlapping sequences.
>#
>#
>#   min_ttl [number]       - set a minium ttl that snort will accept to
>#                            stream reassembly
>#
>#   ttl_limit [number]     - differential of the initial ttl on a
>session versus
>#                             the normal that someone may be playing
>games.
>#                             Routing flap may cause lots of false
>positives.
># 
>#   keepstats [machine|binary] - keep session statistics, add "machine"
>to 
>#                         get them in a flat format for machine reading,
>add
>#                         "binary" to get them in a unified binary
>output 
>#                         format
>#   noinspect - turn off stateful inspection only
>#   timeout [number] - set the session timeout counter to [number]
>seconds,
>#                      default is 30 seconds
>#   memcap [number] - limit stream4 memory usage to [number] bytes
>#   log_flushed_streams - if an event is detected on a stream this
>option will
>#                         cause all packets that are stored in the
>stream4
>#                         packet buffers to be flushed to disk.  This
>only 
>#                         works when logging in pcap mode!
>#
># Stream4 uses Generator ID 111 and uses the following SIDS 
># for that GID:
>#  SID     Event description
># -----   -------------------
>#   1       Stealth activity
>#   2       Evasive RST packet
>#   3       Evasive TCP packet retransmission
>#   4       TCP Window violation
>#   5       Data on SYN packet
>#   6       Stealth scan: full XMAS
>#   7       Stealth scan: SYN-ACK-PSH-URG
>#   8       Stealth scan: FIN scan
>#   9       Stealth scan: NULL scan
>#   10      Stealth scan: NMAP XMAS scan
>#   11      Stealth scan: Vecna scan
>#   12      Stealth scan: NMAP fingerprint scan stateful detect
>#   13      Stealth scan: SYN-FIN scan
>#   14      TCP forward overlap
>
>preprocessor stream4: disable_evasion_alerts
>
># tcp stream reassembly directive
># no arguments loads the default configuration 
>#   Only reassemble the client,
>#   Only reassemble the default list of ports (See below),  
>#   Give alerts for "bad" streams
>#
># Available options (comma delimited):
>#   clientonly - reassemble traffic for the client side of a connection
>only
>#   serveronly - reassemble traffic for the server side of a connection
>only
>#   both - reassemble both sides of a session
>#   noalerts - turn off alerts from the stream reassembly stage of
>stream4
>#   ports [list] - use the space separated list of ports in [list],
>"all" 
>#                  will turn on reassembly for all ports, "default" will
>turn
>#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
>111
>#                  and 513
>
>preprocessor stream4_reassemble
>
># http_inspect: normalize and detect HTTP traffic and protocol anomalies
># # lots of options available here. See doc/README.http_inspect. #
>unicode.map should be wherever your snort.conf lives, or given # a full
>path to where snort can find it. # preprocessor http_inspect: global \
>#    iis_unicode_map unicode.map 1252 
>
># preprocessor http_inspect_server: server default \
>#    profile all ports { 80 8080 8180 } oversize_dir_length 500
>
>#
>#  Example unqiue server configuration
>#
>#preprocessor http_inspect_server: server 1.1.1.1 \
>#    ports { 80 3128 8080 } \
>#    flow_depth 0 \
>#    ascii no \
>#    double_decode yes \
>#    non_rfc_char { 0x00 } \
>#    chunk_length 500000 \
>#    non_strict \
>#    oversize_dir_length 300 \
>#    no_alerts
>
>
># rpc_decode: normalize RPC traffic
># ---------------------------------
># RPC may be sent in alternate encodings besides the usual 4-byte
>encoding # that is used by default. This plugin takes the port numbers
>that RPC # services are running on as arguments - it is assumed that the
>given ports # are actually running this type of service. If not, change
>the ports or turn # it off. # The RPC decode preprocessor uses generator
>ID 106 # # arguments: space separated list # alert_fragments - alert on
>any rpc fragmented TCP data # no_alert_multiple_requests - don't alert
>when >1 rpc query is in a packet # no_alert_large_fragments - don't
>alert when the fragmented
>#                            sizes exceed the current packet size
># no_alert_incomplete - don't alert when a single segment
>#                       exceeds the current packet size
>
>preprocessor rpc_decode: 111 32771
>
># bo: Back Orifice detector
># -------------------------
># Detects Back Orifice traffic on the network.  Takes no arguments in
>2.0. # 
># The Back Orifice detector uses Generator ID 105 and uses the 
># following SIDS for that GID:
>#  SID     Event description
># -----   -------------------
>#   1       Back Orifice traffic detected
>
>preprocessor bo
>
># telnet_decode: Telnet negotiation string normalizer
># ---------------------------------------------------
># This preprocessor "normalizes" telnet negotiation strings from telnet
>and ftp # traffic.  It works in much the same way as the http_decode
>preprocessor, # searching for traffic that breaks up the normal data
>stream of a protocol and # replacing it with a normalized representation
>of that traffic so that the # "content" pattern matching keyword can
>work without requiring modifications. # This preprocessor requires no
>arguments. # Portscan uses Generator ID 109 and does not generate any
>SID currently.
>
>preprocessor telnet_decode
>
># Flow-Portscan: detect a variety of portscans
># ---------------------------------------
># Note:  The Flow preprocessor (above) must first be enabled for
>Flow-Portscan to # work. # # This module detects portscans based off of
>flow creation in the flow # preprocessors.  The goal is to catch
>one->many hosts and one->many # ports scans. # # Flow-Portscan has
>numerous options available, please read # README.flow-portscan for help
>configuring this option. 
>
># Flow-Portscan uses Generator ID 121 and uses the following SIDS for
>that GID:
>#  SID     Event description
># -----   -------------------
>#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
>#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
>#   3       flow-portscan: Fixed Scale Talker Limit Exceeded
>#   4	    flow-portscan: Sliding Scale Talker Limit Exceeded
>
># preprocessor flow-portscan: \
>#	talker-sliding-scale-factor 0.50 \
>#	talker-fixed-threshold 30 \
>#	talker-sliding-threshold 30 \
>#	talker-sliding-window 20 \
>#	talker-fixed-window 30 \
>#	scoreboard-rows-talker 30000 \
>#	server-watchnet [10.2.0.0/30] \
>#	server-ignore-limit 200 \
>#	server-rows 65535 \
>#	server-learning-time 14400 \
>#	server-scanner-limit 4 \
>#	scanner-sliding-window 20 \
>#	scanner-sliding-scale-factor 0.50 \
>#	scanner-fixed-threshold 15 \
>#	scanner-sliding-threshold 40 \
>#	scanner-fixed-window 15 \
>#	scoreboard-rows-scanner 30000 \
>#	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
>#	dst-ignore-net [10.0.0.0/30] \
>#	alert-mode once \
>#	output-mode msg \
>#	tcp-penalties on
>
># arpspoof
>#----------------------------------------
># Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
># unicast ARP requests, and specific ARP mapping monitoring.  To make
>use of # this preprocessor you must specify the IP and hardware address
>of hosts on # the same layer 2 segment as you.  Specify one host IP MAC
>combo per line. # Also takes a "-unicast" option to turn on unicast ARP
>request detection. 
># Arpspoof uses Generator ID 112 and uses the following SIDS for that
>GID:
>
>#  SID     Event description
># -----   -------------------
>#   1       Unicast ARP request
>#   2       Etherframe ARP mismatch (src)
>#   3       Etherframe ARP mismatch (dst)
>#   4       ARP cache overwrite attack
>
>#preprocessor arpspoof
>#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
>
># Performance Statistics
># ----------------------
># Documentation for this is provided in the Snort Manual.  You should
>read it. # It is included in the release distribution as
>doc/snort_manual.pdf # 
># preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>10000
>
>####################################################################
># Step #3: Configure output plugins
>#
># Uncomment and configure the output plugins you decide to use.  General
># configuration for output plugins is of the form: # # output
><name_of_plugin>: <configuration_options> # # alert_syslog: log alerts
>to syslog # ----------------------------------
># Use one or more syslog facilities as arguments.  Win32 can also
>optionally # specify a particular hostname/port.  Under Win32, the
>default hostname is # '127.0.0.1', and the default port is 514. # #
>[Unix flavours should use this format...] # output alert_syslog:
>LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output
>alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname,
>LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH
>LOG_ALERT
>
># log_tcpdump: log packets in binary tcpdump format
># -------------------------------------------------
># The only argument is the output file name.
>#
>output log_tcpdump: tcpdump.log
>
># database: log to a variety of databases
># ---------------------------------------
># See the README.database file for more information about configuring #
>and using this plugin. # output database: log, mysql, user=snort
>password=google dbname=snort host=localhost # output database: alert,
>postgresql, user=snort dbname=snort # output database: log, odbc,
>user=snort dbname=snort # output database: log, mssql, dbname=snort
>user=snort password=test # output database: log, oracle, dbname=snort
>user=snort password=test
>
># unified: Snort unified binary format alerting and logging
># -------------------------------------------------------------
># The unified output plugin provides two new formats for logging and
>generating # alerts from Snort, the "unified" format.  The unified
>format is a straight # binary format for logging data out of Snort that
>is designed to be fast and # efficient.  Used with barnyard (the new
>alert/log processor), most of the # overhead for logging and alerting to
>various slow storage mechanisms such as # databases or the network can
>now be avoided.  
>#
># Check out the spo_unified.h file for the data formats.
>#
># Two arguments are supported.
>#    filename - base filename to write to (current time_t is appended)
>#    limit    - maximum size of spool file in MB (default: 128)
>#
># output alert_unified: filename snort.alert, limit 128
># output log_unified: filename snort.log, limit 128
>
># You can optionally define new rule types and associate one or more
>output # plugins specifically to that type. # # This example will create
>a type that will log to just tcpdump. # ruletype suspicious # {
>#   type log
>#   output log_tcpdump: suspicious.log
># }
>#
># EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
># suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
>Server";) # # This example will create a rule type that will log to
>syslog and a mysql # database: # ruletype redalert # {
>#   type alert
>#   output alert_syslog: LOG_AUTH LOG_ALERT
>#   output database: log, mysql, user=snort dbname=snort host=localhost
># }
>#
># EXAMPLE RULE FOR REDALERT RULETYPE:
># redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
>#   (msg:"Someone is being LEET"; flags:A+;)
>
>#
># Include classification & priority settings
># Note for Windows users:  You are advised to make this an absolute
>path, # such as:  c:\snort\etc\classification.config
>#
>
>include classification.config
>
>#
># Include reference systems
># Note for Windows users:  You are advised to make this an absolute
>path, # such as:  c:\snort\etc\reference.config #
>
>include reference.config
>
>####################################################################
># Step #4: Customize your rule set
>#
># Up to date snort rules are available at http://www.snort.org # # The
>snort web site has documentation about how to write your own custom
>snort # rules. # # The rules included with this distribution generate
>alerts based on on # suspicious activity. Depending on your network
>environment, your security # policies, and what you consider to be
>suspicious, some of these rules may # either generate false positives
>ore may be detecting activity you consider to # be acceptable;
>therefore, you are encouraged to comment out rules that are # not
>applicable in your environment. # # The following individuals
>contributed many of rules in this distribution. # # Credits:
>#   Ron Gula <rgula at ...922...> of Network Security Wizards
>#   Max Vision <vision at ...4...>
>#   Martin Markgraf <martin at ...923...>
>#   Fyodor Yarochkin <fygrave at ...121...>
>#   Nick Rogness <nick at ...176...>
>#   Jim Forster <jforster at ...176...>
>#   Scott McIntyre <scott at ...315...>
>#   Tom Vandepoel <Tom.Vandepoel at ...271...>
>#   Brian Caswell <bmc at ...950...>
>#   Zeno <admin at ...4494...>
>#   Ryan Russell <ryan at ...35...>
>
>
>
>#=========================================
># Include all relevant rulesets here 
># 
># The following rulesets are disabled by default:
>#
>#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
>virus,
>#   chat, multimedia, and p2p
>#            
># These rules are either site policy specific or require tuning in order
>to not # generate false positive alerts in most enviornments. # 
># Please read the specific include file for more information and #
>README.alert_order for how rule ordering affects how alerts are
>triggered. #=========================================
>
>include $RULE_PATH/local.rules
>include $RULE_PATH/bad-traffic.rules
>include $RULE_PATH/exploit.rules
>include $RULE_PATH/scan.rules
>include $RULE_PATH/finger.rules
>include $RULE_PATH/ftp.rules
>include $RULE_PATH/telnet.rules
>include $RULE_PATH/rpc.rules
>include $RULE_PATH/rservices.rules
>include $RULE_PATH/dos.rules
>include $RULE_PATH/ddos.rules
>include $RULE_PATH/dns.rules
>include $RULE_PATH/tftp.rules
>
>include $RULE_PATH/web-cgi.rules
>include $RULE_PATH/web-coldfusion.rules
>include $RULE_PATH/web-iis.rules
>include $RULE_PATH/web-frontpage.rules
>include $RULE_PATH/web-misc.rules
>include $RULE_PATH/web-client.rules
>include $RULE_PATH/web-php.rules
>
>include $RULE_PATH/sql.rules
>include $RULE_PATH/x11.rules
>include $RULE_PATH/icmp.rules
>include $RULE_PATH/netbios.rules
>include $RULE_PATH/misc.rules
>include $RULE_PATH/attack-responses.rules
>include $RULE_PATH/oracle.rules
>include $RULE_PATH/mysql.rules
>include $RULE_PATH/snmp.rules
>
>include $RULE_PATH/smtp.rules
>include $RULE_PATH/imap.rules
>include $RULE_PATH/pop2.rules
>include $RULE_PATH/pop3.rules
>
>include $RULE_PATH/nntp.rules
>include $RULE_PATH/other-ids.rules
># include $RULE_PATH/web-attacks.rules
># include $RULE_PATH/backdoor.rules
># include $RULE_PATH/shellcode.rules
># include $RULE_PATH/policy.rules
># include $RULE_PATH/porn.rules
># include $RULE_PATH/info.rules
># include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/virus.rules
># include $RULE_PATH/chat.rules
># include $RULE_PATH/multimedia.rules
># include $RULE_PATH/p2p.rules
>include $RULE_PATH/experimental.rules
>
># Include any thresholding or suppression commands. See threshold.conf
>in the # <snort src>/etc directory for details. Commands don't
>necessarily need to be # contained in this conf, but a separate conf
>makes it easier to maintain them. 
># Note for Windows users:  You are advised to make this an absolute
>path, # such as:  c:\snort\etc\threshold.conf # Uncomment if needed. #
>include threshold.conf
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>Use IT products in your business? Tell us what you think of them. Give
>us
>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
>more
>http://productguide.itmanagersjournal.com/guidepromo.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>Use IT products in your business? Tell us what you think of them. Give us
>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
>http://productguide.itmanagersjournal.com/guidepromo.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list
>
>  
>




More information about the Snort-users mailing list