[Snort-users] Enabled Rules Not generating Alerts

Ben Jordan benj at ...12539...
Thu Oct 14 06:13:46 EDT 2004


I have installed and configured snort 2.1.0.  I have successfully configured it to work with Postgres.  I am collecting data, and can see that data in Postgres.  I am getting plenty of http_inspect alerts generated, and they are succesfully showing up in the ACID reports.  I have created scripts to download updated rule sets, unpack them, test them, and impliment them.  Working great...



However, I am not generating any alerts from any rule sets, only preprocessor alerts, such as the http_inspect as stated above.  I have the default rules enabled, as it comes default in snort.conf in 2.1.0.  I have read README.alert_order, and have read several posts on how to check your snort conf.  I have included my snort.conf below.  I have run Nessus, using all tests, on all ports, against the snort IP, and an IP on the internal net from an IP outside the network.  Can anyone see why I am not getting any alerts generated?  I am at a loss.



******



#--------------------------------------------------

#   http://www.snort.org     Snort 2.1.0 Ruleset

#     Contact: snort-sigs at lists.sourceforge.net

#--------------------------------------------------

# $Id: snort.conf,v 1.133.2.3 2004/02/25 16:52:51 jh8 Exp $

#

###################################################

# This file contains a sample snort configuration. 

# You can take the following steps to create your own custom configuration:

#

#  1) Set the network variables for your network

#  2) Configure preprocessors

#  3) Configure output plugins

#  4) Customize your rule set

#

###################################################

# Step #1: Set the network variables:

#

# You must change the following variables to reflect your local network. The

# variable is currently setup for an RFC 1918 address space.

#

# You can specify it explicitly as: 

#

# var HOME_NET 10.1.1.0/24

#

# or use global variable $<interfacename>_ADDRESS which will be always

# initialized to IP address and netmask of the network interface which you run

# snort at.  Under Windows, this must be specified as

# $(<interfacename>_ADDRESS), such as:

# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)

#

# var HOME_NET $eth0_ADDRESS

#

# You can specify lists of IP addresses for HOME_NET

# by separating the IPs with commas like this:

#

# var HOME_NET [10.1.1.0/24,192.168.1.0/24]

#

# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!

#

# or you can specify the variable to be any IP address

# like this:



var HOME_NET [192.168.11.0/24]



# Set up the external network addresses as well.  A good start may be "any"

var EXTERNAL_NET !$HOME_NET



# Configure your server lists.  This allows snort to only look for attacks to

# systems that have a service up.  Why look for HTTP attacks if you are not

# running a web server?  This allows quick filtering based on IP addresses

# These configurations MUST follow the same configuration scheme as defined

# above for $HOME_NET.  



# List of DNS servers on your network 

var DNS_SERVERS $HOME_NET



# List of SMTP servers on your network

var SMTP_SERVERS $HOME_NET



# List of web servers on your network

var HTTP_SERVERS $HOME_NET



# List of sql servers on your network 

var SQL_SERVERS $HOME_NET



# List of telnet servers on your network

var TELNET_SERVERS $HOME_NET



# List of snmp servers on your network

var SNMP_SERVERS $HOME_NET



# Configure your service ports.  This allows snort to look for attacks destined

# to a specific application only on the ports that application runs on.  For

# example, if you run a web server on port 8081, set your HTTP_PORTS variable

# like this:

#

# var HTTP_PORTS 8081

#

# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].

# We will adding support for a real list of ports in the future.



# Ports you run web servers on

#

# Please note:  [80,8080] does not work.

# If you wish to define multiple HTTP ports,

# 

## var HTTP_PORTS 80 

## include somefile.rules

## var HTTP_PORTS 8080

## include somefile.rules

var HTTP_PORTS 89



# Ports you want to look for SHELLCODE on.

var SHELLCODE_PORTS !80



# Ports you do oracle attacks on

var ORACLE_PORTS 1521



# other variables

# 

# AIM servers.  AOL has a habit of adding new AIM servers, so instead of

# modifying the signatures when they do, we add them to this list of servers.

var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]



# Path to your rules files (this can be a relative path)

var RULE_PATH /etc/snort



# Configure the snort decoder

# ============================

#

# Snort's decoder will alert on lots of things such as header

# truncation or options of unusual length or infrequently used tcp options

#

#

# Stop generic decode events:

#

# config disable_decode_alerts

#

# Stop Alerts on experimental TCP options

#

# config disable_tcpopt_experimental_alerts

#

# Stop Alerts on obsolete TCP options

#

# config disable_tcpopt_obsolete_alerts

#

# Stop Alerts on T/TCP alerts

#

# In snort 2.0.1 and above, this only alerts when a TCP option is detected

# that shows T/TCP being actively used on the network.  If this is normal

# behavior for your network, disable the next option.

#

# config disable_tcpopt_ttcp_alerts

#

# Stop Alerts on all other TCPOption type events:

#

# config disable_tcpopt_alerts

#

# Stop Alerts on invalid ip options

#

# config disable_ipopt_alerts



# Configure the detection engine

# ===============================

#

# Use a different pattern matcher in case you have a machine with very limited

# resources:

#

# config detection: search-method lowmem



###################################################

# Step #2: Configure preprocessors

#

# General configuration for preprocessors is of 

# the form

# preprocessor <name_of_processor>: <configuration_options>



# Configure Flow tracking module

# -------------------------------

#

# The Flow tracking module is meant to start unifying the state keeping

# mechanisms of snort into a single place. Right now, only a portscan detector

# is implemented but in the long term,  many of the stateful subsystems of

# snort will be migrated over to becoming flow plugins. This must be enabled

# for flow-portscan to work correctly.

#

# See README.flow for additional information

#

preprocessor flow: stats_interval 0 hash 2



# frag2: IP defragmentation support

# -------------------------------

# This preprocessor performs IP defragmentation.  This plugin will also detect

# people launching fragmentation attacks (usually DoS) against hosts.  No

# arguments loads the default configuration of the preprocessor, which is a 60

# second timeout and a 4MB fragment buffer. 



# The following (comma delimited) options are available for frag2

#    timeout [seconds] - sets the number of [seconds] that an unfinished 

#                        fragment will be kept around waiting for completion,

#                        if this time expires the fragment will be flushed

#    memcap [bytes] - limit frag2 memory usage to [number] bytes

#                      (default:  4194304)

#

#    min_ttl [number] - minimum ttl to accept

# 

#    ttl_limit [number] - difference of ttl to accept without alerting

#                         will cause false positves with router flap

# 

# Frag2 uses Generator ID 113 and uses the following SIDS 

# for that GID:

#  SID     Event description

# -----   -------------------

#   1       Oversized fragment (reassembled frag > 64k bytes)

#   2       Teardrop-type attack



preprocessor frag2



# stream4: stateful inspection/stream reassembly for Snort

#----------------------------------------------------------------------

# Use in concert with the -z [all|est] command line switch to defeat stick/snot

# against TCP rules.  Also performs full TCP stream reassembly, stateful

# inspection of TCP streams, etc.  Can statefully detect various portscan

# types, fingerprinting, ECN, etc.



# stateful inspection directive

# no arguments loads the defaults (timeout 30, memcap 8388608)

# options (options are comma delimited):

#   detect_scans - stream4 will detect stealth portscans and generate alerts

#                  when it sees them when this option is set

#   detect_state_problems - detect TCP state problems, this tends to be very

#                           noisy because there are a lot of crappy ip stack

#                           implementations out there

#

#   disable_evasion_alerts - turn off the possibly noisy mitigation of

#                            overlapping sequences.

#

#

#   min_ttl [number]       - set a minium ttl that snort will accept to

#                            stream reassembly

#

#   ttl_limit [number]     - differential of the initial ttl on a session versus

#                             the normal that someone may be playing games.

#                             Routing flap may cause lots of false positives.

# 

#   keepstats [machine|binary] - keep session statistics, add "machine" to 

#                         get them in a flat format for machine reading, add

#                         "binary" to get them in a unified binary output 

#                         format

#   noinspect - turn off stateful inspection only

#   timeout [number] - set the session timeout counter to [number] seconds,

#                      default is 30 seconds

#   memcap [number] - limit stream4 memory usage to [number] bytes

#   log_flushed_streams - if an event is detected on a stream this option will

#                         cause all packets that are stored in the stream4

#                         packet buffers to be flushed to disk.  This only 

#                         works when logging in pcap mode!

#

# Stream4 uses Generator ID 111 and uses the following SIDS 

# for that GID:

#  SID     Event description

# -----   -------------------

#   1       Stealth activity

#   2       Evasive RST packet

#   3       Evasive TCP packet retransmission

#   4       TCP Window violation

#   5       Data on SYN packet

#   6       Stealth scan: full XMAS

#   7       Stealth scan: SYN-ACK-PSH-URG

#   8       Stealth scan: FIN scan

#   9       Stealth scan: NULL scan

#   10      Stealth scan: NMAP XMAS scan

#   11      Stealth scan: Vecna scan

#   12      Stealth scan: NMAP fingerprint scan stateful detect

#   13      Stealth scan: SYN-FIN scan

#   14      TCP forward overlap



preprocessor stream4: disable_evasion_alerts



# tcp stream reassembly directive

# no arguments loads the default configuration 

#   Only reassemble the client,

#   Only reassemble the default list of ports (See below),  

#   Give alerts for "bad" streams

#

# Available options (comma delimited):

#   clientonly - reassemble traffic for the client side of a connection only

#   serveronly - reassemble traffic for the server side of a connection only

#   both - reassemble both sides of a session

#   noalerts - turn off alerts from the stream reassembly stage of stream4

#   ports [list] - use the space separated list of ports in [list], "all" 

#                  will turn on reassembly for all ports, "default" will turn

#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111

#                  and 513



preprocessor stream4_reassemble



# http_inspect: normalize and detect HTTP traffic and protocol anomalies

#

# lots of options available here. See doc/README.http_inspect.

# unicode.map should be wherever your snort.conf lives, or given

# a full path to where snort can find it.

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 



preprocessor http_inspect_server: server default profile apache ports { 80 89 } oversize_dir_length 500



#

#  Example unqiue server configuration

#

#preprocessor http_inspect_server: server 1.1.1.1 \

#    ports { 80 3128 8080 } \

#    flow_depth 0 \

#    ascii no \

#    double_decode yes \

#    non_rfc_char { 0x00 } \

#    chunk_length 500000 \

#    non_strict \

#    oversize_dir_length 300 \

#    no_alerts





# rpc_decode: normalize RPC traffic

# ---------------------------------

# RPC may be sent in alternate encodings besides the usual 4-byte encoding

# that is used by default. This plugin takes the port numbers that RPC

# services are running on as arguments - it is assumed that the given ports

# are actually running this type of service. If not, change the ports or turn

# it off.

# The RPC decode preprocessor uses generator ID 106

#

# arguments: space separated list

# alert_fragments - alert on any rpc fragmented TCP data

# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet

# no_alert_large_fragments - don't alert when the fragmented

#                            sizes exceed the current packet size

# no_alert_incomplete - don't alert when a single segment

#                       exceeds the current packet size



preprocessor rpc_decode: 111 32771



# bo: Back Orifice detector

# -------------------------

# Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.

# 

# The Back Orifice detector uses Generator ID 105 and uses the 

# following SIDS for that GID:

#  SID     Event description

# -----   -------------------

#   1       Back Orifice traffic detected



preprocessor bo



# telnet_decode: Telnet negotiation string normalizer

# ---------------------------------------------------

# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp

# traffic.  It works in much the same way as the http_decode preprocessor,

# searching for traffic that breaks up the normal data stream of a protocol and

# replacing it with a normalized representation of that traffic so that the

# "content" pattern matching keyword can work without requiring modifications.

# This preprocessor requires no arguments.

# Portscan uses Generator ID 109 and does not generate any SID currently.



# preprocessor telnet_decode



# Flow-Portscan: detect a variety of portscans

# ---------------------------------------

# Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to

# work.

#

# This module detects portscans based off of flow creation in the flow

# preprocessors.  The goal is to catch catch one->many hosts and one->many

# ports scans.

#

# Flow-Portscan has numerous options available, please read

# README.flow-portscan for help configuring this option. 



# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:

#  SID     Event description

# -----   -------------------

#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded

#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 

#   3       flow-portscan: Fixed Scale Talker Limit Exceeded

#   4	    flow-portscan: Sliding Scale Talker Limit Exceeded



# preprocessor flow-portscan: \

#	talker-sliding-scale-factor 0.50 \

#	talker-fixed-threshold 30 \

#	talker-sliding-threshold 30 \

#	talker-sliding-window 20 \

#	talker-fixed-window 30 \

#	scoreboard-rows-talker 30000 \

#	server-watchnet [10.2.0.0/30] \

#	server-ignore-limit 200 \

#	server-rows 65535 \

#	server-learning-time 14400 \

#	server-scanner-limit 4 \

#	scanner-sliding-window 20 \

#	scanner-sliding-scale-factor 0.50 \

#	scanner-fixed-threshold 15 \

#	scanner-sliding-threshold 40 \

#	scanner-fixed-window 15 \

#	scoreboard-rows-scanner 30000 \

#	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \

#	dst-ignore-net [10.0.0.0/30] \

#	alert-mode once \

#	output-mode msg \

#	tcp-penalties on



# arpspoof

#----------------------------------------

# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,

# unicast ARP requests, and specific ARP mapping monitoring.  To make use of

# this preprocessor you must specify the IP and hardware address of hosts on

# the same layer 2 segment as you.  Specify one host IP MAC combo per line.

# Also takes a "-unicast" option to turn on unicast ARP request detection. 

# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:



#  SID     Event description

# -----   -------------------

#   1       Unicast ARP request

#   2       Etherframe ARP mismatch (src)

#   3       Etherframe ARP mismatch (dst)

#   4       ARP cache overwrite attack



#preprocessor arpspoof

#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00





# Performance Statistics

# ----------------------

# Documentation for this is provided in the Snort Manual.  You should read it.

# It is included in the release distribution as doc/snort_manual.pdf

# 

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000



####################################################################

# Step #3: Configure output plugins

#

# Uncomment and configure the output plugins you decide to use.  General

# configuration for output plugins is of the form:

#

# output <name_of_plugin>: <configuration_options>

#

# alert_syslog: log alerts to syslog

# ----------------------------------

# Use one or more syslog facilities as arguments.  Win32 can also optionally

# specify a particular hostname/port.  Under Win32, the default hostname is

# '127.0.0.1', and the default port is 514.

#

# [Unix flavours should use this format...]

output alert_syslog: LOG_AUTH LOG_ALERT

#

# [Win32 can use any of these formats...]

# output alert_syslog: LOG_AUTH LOG_ALERT

# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT

# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT



# log_tcpdump: log packets in binary tcpdump format

# -------------------------------------------------

# The only argument is the output file name.

#

# output log_tcpdump: tcpdump.log



# database: log to a variety of databases

# ---------------------------------------

# See the README.database file for more information about configuring

# and using this plugin.

#

# output database: log, mysql, user=root password=test dbname=db host=localhost

output database: log, postgresql, user=snort dbname=snort

# output database: log, odbc, user=snort dbname=snort

# output database: log, mssql, dbname=snort user=snort password=test

# output database: log, oracle, dbname=snort user=snort password=test



# unified: Snort unified binary format alerting and logging

# -------------------------------------------------------------

# The unified output plugin provides two new formats for logging and generating

# alerts from Snort, the "unified" format.  The unified format is a straight

# binary format for logging data out of Snort that is designed to be fast and

# efficient.  Used with barnyard (the new alert/log processor), most of the

# overhead for logging and alerting to various slow storage mechanisms such as

# databases or the network can now be avoided.  

#

# Check out the spo_unified.h file for the data formats.

#

# Two arguments are supported.

#    filename - base filename to write to (current time_t is appended)

#    limit    - maximum size of spool file in MB (default: 128)

#

# output alert_unified: filename snort.alert, limit 128

# output log_unified: filename snort.log, limit 128



# You can optionally define new rule types and associate one or more output

# plugins specifically to that type.

#

# This example will create a type that will log to just tcpdump.

# ruletype suspicious

# {

#   type log

#   output log_tcpdump: suspicious.log

# }

#

# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:

# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)

#

# This example will create a rule type that will log to syslog and a mysql

# database:

# ruletype redalert

# {

#   type alert

#   output alert_syslog: LOG_AUTH LOG_ALERT

#   output database: log, mysql, user=snort dbname=snort host=localhost

# }

#

# EXAMPLE RULE FOR REDALERT RULETYPE:

# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \

#   (msg:"Someone is being LEET"; flags:A+;)



#

# Include classification & priority settings

#



include classification.config



#

# Include reference systems

#



include reference.config



####################################################################

# Step #4: Customize your rule set

#

# Up to date snort rules are available at http://www.snort.org

#

# The snort web site has documentation about how to write your own custom snort

# rules.

#

# The rules included with this distribution generate alerts based on on

# suspicious activity. Depending on your network environment, your security

# policies, and what you consider to be suspicious, some of these rules may

# either generate false positives ore may be detecting activity you consider to

# be acceptable; therefore, you are encouraged to comment out rules that are

# not applicable in your environment.

#

# The following individuals contributed many of rules in this distribution.

#

# Credits:

#   Ron Gula <rgula at ...922...> of Network Security Wizards

#   Max Vision <vision at ...4...>

#   Martin Markgraf <martin at ...923...>

#   Fyodor Yarochkin <fygrave at ...121...>

#   Nick Rogness <nick at ...176...>

#   Jim Forster <jforster at ...176...>

#   Scott McIntyre <scott at ...315...>

#   Tom Vandepoel <Tom.Vandepoel at ...271...>

#   Brian Caswell <bmc at ...950...>

#   Zeno <admin at ...4494...>

#   Ryan Russell <ryan at ...35...>







#=========================================

# Include all relevant rulesets here 

# 

# The following rulesets are disabled by default:

#

#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,

#   chat, multimedia, and p2p

#            

# These rules are either site policy specific or require tuning in order to not

# generate false positive alerts in most enviornments.

# 

# Please read the specific include file for more information and

# README.alert_order for how rule ordering affects how alerts are triggered.

#=========================================



include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules



include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules



include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules



include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules



#include $RULE_PATH/nntp.rules

#include $RULE_PATH/other-ids.rules

#include $RULE_PATH/web-attacks.rules

#include $RULE_PATH/backdoor.rules

#include $RULE_PATH/shellcode.rules

#include $RULE_PATH/policy.rules

#include $RULE_PATH/porn.rules

#include $RULE_PATH/info.rules

#include $RULE_PATH/icmp-info.rules

#include $RULE_PATH/virus.rules

#include $RULE_PATH/chat.rules

#include $RULE_PATH/multimedia.rules

#include $RULE_PATH/p2p.rules

#include $RULE_PATH/experimental.rules



# Include any thresholding or suppression commands. See threshold.conf in the

# <snort src>/etc directory for details. Commands don't necessarily need to be

# contained in this conf, but a separate conf makes it easier to maintain them. 

# Uncomment if needed.

# include threshold.conf



Thank you kindly, 



Ben Jordan





More information about the Snort-users mailing list