[Snort-users] start snort in IDS mode

Plantier, Spencer spencer.plantier at ...12801...
Thu Feb 10 07:34:20 EST 2005


This is what I have. 

 

 

Example of snort.conf

 

include $RULE_PATH /opt/snort/rules/smtp.rules^M

include $RULE_PATH /opt/snort/rules/imap.rules^M

include $RULE_PATH /opt/snort/rules/pop2.rules^M

include $RULE_PATH /opt/snort/rules/pop3.rules^M

 

 

 

Thanks, opt/snort/etc

# ls -l

total 706

-rw-r--r--   1 root     other       6004 Feb 10 08:36 Makefile

-rw-r--r--   1 root     other        230 Feb 10 08:36 Makefile.am

-rw-r--r--   1 root     other       5464 Feb 10 08:36 Makefile.in

-rw-r--r--   1 root     other       3521 Feb 10 08:36
classification.config

-rw-r--r--   1 root     other       8066 Feb 10 08:36 gen-msg.map

-rw-r--r--   1 root     other       1622 Feb 10 08:36 generators

-rw-r--r--   1 root     other        608 Feb 10 08:36 reference.config

-rw-r--r--   1 root     other         58 Feb 10 08:36 sid

-rw-r--r--   1 root     other     235477 Feb 10 08:36 sid-msg.map

-rw-r--r--   1 root     other      28162 Feb 10 09:37 snort.conf

-rw-r--r--   1 root     other       2319 Feb 10 08:36 threshold.conf

-rw-r--r--   1 root     other      53841 Feb 10 08:36 unicode.map

#

 

#  cd ..

# ls -l

total 12

drwxr-xr-x   2 root     other        512 Feb 10 08:33 bin

drwxr-xr-x   2 root     other        512 Feb 10 09:35 etc

drwxr-xr-x   2 root     other        512 Feb 10 08:35 folder

drwxr-xr-x   3 root     other        512 Feb 10 08:33 man

drwxr-xr-x   2 root     other       1536 Feb 10 08:36 rules

# cd rules

# ls -l

total 2018

-rw-r--r--   1 root     other       6551 Feb 10 08:36 Makefile

-rw-r--r--   1 root     other        777 Feb 10 08:36 Makefile.am

-rw-r--r--   1 root     other       6009 Feb 10 08:36 Makefile.in

-rw-r--r--   1 root     other       4768 Feb 10 08:36
attack-responses.rules

-rw-r--r--   1 root     other      16612 Feb 10 08:36 backdoor.rules

-rw-r--r--   1 root     other       3000 Feb 10 08:36 bad-traffic.rules

-rw-r--r--   1 root     other       7212 Feb 10 08:36 chat.rules

-rw-r--r--   1 root     other       6783 Feb 10 08:36 ddos.rules

-rw-r--r--   1 root     other      63449 Feb 10 08:36 deleted.rules

-rw-r--r--   1 root     other       5381 Feb 10 08:36 dns.rules

-rw-r--r--   1 root     other       4831 Feb 10 08:36 dos.rules

-rw-r--r--   1 root     other        471 Feb 10 08:36 experimental.rules

-rw-r--r--   1 root     other      24415 Feb 10 08:36 exploit.rules

-rw-r--r--   1 root     other       3112 Feb 10 08:36 finger.rules

-rw-r--r--   1 root     other      20491 Feb 10 08:36 ftp.rules

-rw-r--r--   1 root     other      15618 Feb 10 08:36 icmp-info.rules

-rw-r--r--   1 root     other       4488 Feb 10 08:36 icmp.rules

-rw-r--r--   1 root     other      12577 Feb 10 08:36 imap.rules

-rw-r--r--   1 root     other       2430 Feb 10 08:36 info.rules

-rw-r--r--   1 root     other        199 Feb 10 08:36 local.rules

-rw-r--r--   1 root     other      16657 Feb 10 08:36 misc.rules

-rw-r--r--   1 root     other       2866 Feb 10 08:36 multimedia.rules

-rw-r--r--   1 root     other        816 Feb 10 08:36 mysql.rules

-rw-r--r--   1 root     other     118680 Feb 10 08:36 netbios.rules

-rw-r--r--   1 root     other       3895 Feb 10 08:36 nntp.rules

-rw-r--r--   1 root     other     176913 Feb 10 08:36 oracle.rules

-rw-r--r--   1 root     other       1383 Feb 10 08:36 other-ids.rules

-rw-r--r--   1 root     other       3953 Feb 10 08:36 p2p.rules

-rw-r--r--   1 root     other       5323 Feb 10 08:36 policy.rules

-rw-r--r--   1 root     other       1228 Feb 10 08:36 pop2.rules

-rw-r--r--   1 root     other       8578 Feb 10 08:36 pop3.rules

-rw-r--r--   1 root     other       5061 Feb 10 08:36 porn.rules

-rw-r--r--   1 root     other      51378 Feb 10 08:36 rpc.rules

-rw-r--r--   1 root     other       2920 Feb 10 08:36 rservices.rules

-rw-r--r--   1 root     other       4088 Feb 10 08:36 scan.rules

-rw-r--r--   1 root     other       4727 Feb 10 08:36 shellcode.rules

-rw-r--r--   1 root     other      22090 Feb 10 08:36 smtp.rules

-rw-r--r--   1 root     other       4915 Feb 10 08:36 snmp.rules

-rw-r--r--   1 root     other      14409 Feb 10 08:36 sql.rules

-rw-r--r--   1 root     other       3572 Feb 10 08:36 telnet.rules

-rw-r--r--   1 root     other       2560 Feb 10 08:36 tftp.rules

-rw-r--r--   1 root     other       1211 Feb 10 08:36 virus.rules

-rw-r--r--   1 root     other      10229 Feb 10 08:36 web-attacks.rules

-rw-r--r--   1 root     other     100668 Feb 10 08:36 web-cgi.rules

-rw-r--r--   1 root     other       7419 Feb 10 08:36 web-client.rules

-rw-r--r--   1 root     other       9166 Feb 10 08:36
web-coldfusion.rules

-rw-r--r--   1 root     other       9484 Feb 10 08:36
web-frontpage.rules

-rw-r--r--   1 root     other      37230 Feb 10 08:36 web-iis.rules

-rw-r--r--   1 root     other      94963 Feb 10 08:36 web-misc.rules

-rw-r--r--   1 root     other      35801 Feb 10 08:36 web-php.rules

-rw-r--r--   1 root     other        573 Feb 10 08:36 x11.rules

 

 

Spencer

________________________________

From: William Fitzgerald [mailto:wfitzgerald at ...9307...] 
Sent: Thursday, February 10, 2005 9:23 AM
To: Plantier, Spencer; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] start snort in IDS mode

 

I wonder if you have the rules directory in the correct place.

you should have:

/opt/snort/etc

/opt/snort/rules

 

in the snort.conf file: 

# Path to your rules files (this can be a relative path)

var RULE_PATH ../rules

this goes up one directory from etc to rules. if you copied the rules to
the etc directory then change the RULES_PATH to reflect this.

 

 

	-----Original Message-----
	From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Plantier,
Spencer
	Sent: 10 February 2005 14:17
	To: snort-users at lists.sourceforge.net
	Subject: [Snort-users] start snort in IDS mode

	I got IDS to start but I got the following output:

	opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i hme0

	Running in IDS mode

	Initializing Network Interface hme0

	        --== Initializing Snort ==--

	Initializing Output Plugins!

	Decoding Ethernet on interface hme0

	Initializing Preprocessors!

	Initializing Plug-ins!

	Parsing Rules file /opt/snort/etc/snort.conf

	+++++++++++++++++++++++++++++++++++++++++++++++++++

	Initializing rule chains...

	,-----------[Flow Config]----------------------

	| Stats Interval:  0

	| Hash Method:     2

	| Memcap:          10485760

	| Rows  :          4099

	| Overhead Bytes:  16400(%0.16)

	`----------------------------------------------

	No arguments to frag2 directive, setting defaults to:

	    Fragment timeout: 60 seconds

	    Fragment memory cap: 4194304 bytes

	    Fragment min_ttl:   0

	    Fragment ttl_limit: 5

	    Fragment Problems: 0

	    Self preservation threshold: 500

	    Self preservation period: 90

	    Suspend threshold: 1000

	    Suspend period: 30

	Stream4 config:

	    Stateful inspection: ACTIVE

	    Session statistics: INACTIVE

	    Session timeout: 30 seconds

	    Session memory cap: 8388608 bytes

	    State alerts: INACTIVE

	    Evasion alerts: INACTIVE

	    Scan alerts: INACTIVE

	    Log Flushed Streams: INACTIVE

	    MinTTL: 1

	    TTL Limit: 5

	    Async Link: 0

	    State Protection: 0

	    Self preservation threshold: 50

	    Self preservation period: 90

	    Suspend threshold: 200

	    Suspend period: 30

	    Enforce TCP State: INACTIVE

	    Midstream Drop Alerts: INACTIVE

	Stream4_reassemble config:

	    Server reassembly: INACTIVE

	    Client reassembly: ACTIVE

	    Reassembler alerts: ACTIVE

	    Zero out flushed packets: INACTIVE

	    flush_data_diff_size: 500

	    Ports: 21 23 25 53 80 110 111 143 513 1433 

	    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 

	HttpInspect Config:

	    GLOBAL CONFIG

	      Max Pipeline Requests:    0

	      Inspection Type:          STATELESS

	      Detect Proxy Usage:       NO

	      IIS Unicode Map Filename: /opt/snort/etc/unicode.map

	      IIS Unicode Map Codepage: 1252

	    DEFAULT SERVER CONFIG:

	      Ports: 80 8080 8180 

	      Flow Depth: 300

	      Max Chunk Length: 500000

	      Inspect Pipeline Requests: YES

	      URI Discovery Strict Mode: NO

	      Allow Proxy Usage: NO

	      Disable Alerting: NO

	      Oversize Dir Length: 500

	      Only inspect URI: NO

	      Ascii: YES alert: NO

	      Double Decoding: YES alert: YES

	      %U Encoding: YES alert: YES

	      Bare Byte: YES alert: YES

	      Base36: OFF

	      UTF 8: OFF

	      IIS Unicode: YES alert: YES

	      Multiple Slash: YES alert: NO

	      IIS Backslash: YES alert: NO

	      Directory Traversal: YES alert: NO

	      Web Root Traversal: YES alert: YES

	      Apache WhiteSpace: YES alert: NO

	      IIS Delimiter: YES alert: NO

	      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

	      Non-RFC Compliant Characters: NONE

	rpc_decode arguments:

	    Ports to decode RPC on: 111 32771 

	    alert_fragments: INACTIVE

	    alert_large_fragments: ACTIVE

	    alert_incomplete: ACTIVE

	    alert_multiple_requests: ACTIVE

	telnet_decode arguments:

	    Ports to decode telnet on: 21 23 25 119 

	Portscan Detection Config:

	    Detect Protocols:  TCP UDP ICMP IP

	    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan

	    Sensitivity Level: Low

	    Memcap (in bytes): 10000000

	    Number of Nodes:   36900

	ERROR: /opt/snort/etc/../rules(1) => NULL rule type

	Fatal Error, Quitting..

	#

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050210/85c4371f/attachment.html>


More information about the Snort-users mailing list