[Snort-users] Snort's configuration.Thanks!!!

Santi Benito benisoroa at ...11827...
Thu May 4 06:26:02 EDT 2006


Hi! First of all thank you for your preocupation, this is the
information that you ask for.
The email is a little bit large, I hope it doesn't bore you.

What version of Snort are you running?
What version of libpcap are you running?
Please cut and paste your command line here.
Please cut and paste your snort.conf here (please remove anything
identifiable as internal.. eg. passwords, home_net..etc.)
Please tell us about your network configuration
Please tell us your hardware configuration.

Thank you Joel and rmkml for your desinterested help
The next lines are the response to this questions:

•Configuration del SNORT: dpkg –l | grep snort
Version Snort: 2.3.3-2.1

•Version  kernel: uname –a
Version kernel: 2.6.13.4

•Version  libpcap: dpkg –l | grep libpcap
ii libpcap0.7 	0.7.2-7 	System interface for user-lev
ii libpcap0.8 	0.9.4-1 	System interface for user-lev

But I really don´t know what of both is Snort using…and also don´t
know how to change it….

•Command line of Snort:

sudo snort -b -i eth1 -c /etc/snort/snort.conf   -l  /etc/snort/ santi_prueba

•Snort.conf

I have a conventional configuration file, I will send you all of it
unless the comments with # of the conventional snort.conf  that
becomes by default.

#--------------------------------------------------
# $Id: snort.conf,v 1.144.2.11 2005/04/22 19:15:49 jhewlett Exp $
#
###################################################
# Step #1: Set the network variables:

var HOME_NET any #it is written like this because I want to analyze
all the packets that I replay from the source

# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521


var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]


var RULE_PATH /etc/snort/rules

# config detection: search-method lowmem

###################################################
# Step #2: Configure preprocessors

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2

preprocessor stream4: disable_evasion_alerts detect_scans

preprocessor stream4_reassemble

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default profile all ports {
80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }
				

preprocessor xlink2state: ports { 25 691 }

						  ####################################################################
 # Step #3: Configure output plugins

output log_tcpdump: tcpdump.log

include classification.config

include reference.config

						  ####################################################################
# Step #4: Configure snort with config statements
#
# See the snort manual for a full set of configuration references

config flowbits_size: 256

¿Here do I have to write something for the memcap?

						  ####################################################################
 # Step #5: Customize your rule set
 #
include $RULE_PATH/p2p.rules
include threshold.conf
						


•Network configuration: My network configuration is very special, I
only have two computers, that are connected by eth1, the Ethernet card
is Gb Ethernet card. I replay some files from one to another and I
analyze how many packets are dropped in the destination computer.
That's my main problem, as I increase replaying rate, the packets that
are dropped increase also amazingly and I don´t know why this drop
number increases so much.

•Hardware configuration: 	
• command lspci –v

RAID bus controller: Silicon Image, Inc. (formerly CMD Technology Inc)
SiI 3114 [SATALink/SATARaid] Serial ATA Controller (rev 02)
        Subsystem: Asustek Computer, Inc.: Unknown device 8167
        Flags: bus master, 66MHz, medium devsel, latency 32, IRQ 5
        I/O ports at 9000 [size=8]
        I/O ports at 9400 [size=4]
        I/O ports at 9800 [size=8]
        I/O ports at 9c00 [size=4]
        I/O ports at a000 [size=16]
        Memory at d9004000 (32-bit, non-prefetchable) [size=1K]
        Expansion ROM at 40000000 [disabled] [size=512K]

Ethernet controller: Marvell Technology Group Ltd. Yukon Gigabit
Ethernet 10/100/1000Base-T Adapter (rev 13)
        Subsystem: Asustek Computer, Inc.: Unknown device 811a
        Flags: bus master, 66MHz, medium devsel, latency 32, IRQ 3
        Memory at d9000000 (32-bit, non-prefetchable) [size=16K]
        I/O ports at a400 [size=256]
        Expansion ROM at 40080000 [disabled] [size=128K]

•command cat  /proc/….
cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 15
model           : 47
model name      : AMD Athlon(tm) 64 Processor 3500+
stepping        : 2
cpu MHz         : 2211.520
cache size      : 512 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes

meminfo

MemTotal:       905476 kB
MemFree:        360080 kB
Buffers:        127472 kB
Cached:         255772 kB




More information about the Snort-users mailing list