[Snort-users] error: log_tcpdump TcpdumpInitlogefile():no error

Joel Esler joel.esler at ...1935...
Mon Sep 18 13:02:23 EDT 2006


I know this doesn't help your situation, but I am about to get on a  
plane, and I figured it would help.

I would use Snort to log to Unified format.  Then get something like  
barnyard to read the unified file and put it into a db.  Bad juju to  
have Snort logging directly to DB.

Joel


On Sep 18, 2006, at 12:53 PM, David Lantz wrote:

> Sorry to mail twice, I wanted to add some more information.
>
> I've read through all the readme files, searched the web and the  
> faq's and haven't found any answer to the error i am receiving.   
> I've seen other similiar posts that didn't get replied to.  I  
> cannot tell with which compenent the error is coming from.  Is it  
> generated from a failed DB connection?
>
> Here is my conf file:
>
> #--------------------------------------------------
> #   http://www.snort.org     Snort 2.6.0 config file
> #     Contact: snort-sigs at lists.sourceforge.net
> #--------------------------------------------------
> # $Id$
> #
> ###################################################
> # This file contains a sample snort configuration.
> # You can take the following steps to create your own custom  
> configuration:
> #
> #  1) Set the variables for your network
> #  2) Configure dynamic loaded libraries
> #  3) Configure preprocessors
> #  4) Configure output plugins
> #  5) Add any runtime config directives
> #  6) Customize your rule set
> #
> ###################################################
> # Step #1: Set the network variables:
> #
> # You must change the following variables to reflect your local  
> network. The
> # variable is currently setup for an RFC 1918 address space.
> #
> # You can specify it explicitly as:
> #
> var HOME_NET 10.0.0.xx/xx
> #
> # or use global variable $<interfacename>_ADDRESS which will be always
> # initialized to IP address and netmask of the network interface  
> which you run
> # snort at.  Under Windows, this must be specified as
> # $(<interfacename>_ADDRESS), such as:
> # $\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS
> #
> # var HOME_NET_ADDRESS
> #
> # You can specify lists of IP addresses for HOME_NET
> # by separating the IPs with commas like this:
> #
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> #
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> #
> # or you can specify the variable to be any IP address
> # like this:
>
> # var HOME_NET any
>
> # Set up the external network addresses as well.  A good start may  
> be "any"
> var EXTERNAL_NET any
>
> # Configure your server lists.  This allows snort to only look for  
> attacks to
> # systems that have a service up.  Why look for HTTP attacks if you  
> are not
> # running a web server?  This allows quick filtering based on IP  
> addresses
> # These configurations MUST follow the same configuration scheme as  
> defined
> # above for $HOME_NET.
>
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
>
> # List of snmp servers on your network
> var SNMP_SERVERS $HOME_NET
>
> # Configure your service ports.  This allows snort to look for  
> attacks destined
> # to a specific application only on the ports that application runs  
> on.  For
> # example, if you run a web server on port 8081, set your  
> HTTP_PORTS variable
> # like this:
> #
> # var HTTP_PORTS 8080
> #
> # Port lists must either be continuous [eg 80:8080], or a single  
> port [eg 80].
> # We will adding support for a real list of ports in the future.
>
> # Ports you run web servers on
> #
> # Please note:  [80,8080] does not work.
> # If you wish to define multiple HTTP ports,
> #
> ## var HTTP_PORTS 80
> ## include somefile.rules
> ## var HTTP_PORTS 8080
> ## include somefile.rules
> var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> # other variables
> #
> # AIM servers.  AOL has a habit of adding new AIM servers, so  
> instead of
> # modifying the signatures when they do, we add them to this list  
> of servers.
> var AIM_SERVERS  
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0 
> / 
> 24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188 
> .153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> # Path to your rules files (this can be a relative path)
> # Note for Windows users:  You are advised to make this an absolute  
> path,
> # such as:  c:\snort\rules
> var RULE_PATH c:\snort\rules
>
> # Configure the snort decoder
> # ============================
> #
> # Snort's decoder will alert on lots of things such as header
> # truncation or options of unusual length or infrequently used tcp  
> options
> #
> #
> # Stop generic decode events:
> #
> # config disable_decode_alerts
> #
> # Stop Alerts on experimental TCP options
> #
> # config disable_tcpopt_experimental_alerts
> #
> # Stop Alerts on obsolete TCP options
> #
> # config disable_tcpopt_obsolete_alerts
> #
> # Stop Alerts on T/TCP alerts
> #
> # In snort 2.0.1 and above, this only alerts when a TCP option is  
> detected
> # that shows T/TCP being actively used on the network.  If this is  
> normal
> # behavior for your network, disable the next option.
> #
> # config disable_tcpopt_ttcp_alerts
> #
> # Stop Alerts on all other TCPOption type events:
> #
> # config disable_tcpopt_alerts
> #
> # Stop Alerts on invalid ip options
> #
> # config disable_ipopt_alerts
>
> # Configure the detection engine
> # ===============================
> #
> # Use a different pattern matcher in case you have a machine with  
> very limited
> # resources:
> #
> # config detection: search-method lowmem
>
> # Configure Inline Resets
> # ========================
> #
> # If running an iptables firewall with snort in InlineMode() we can  
> now
> # perform resets via a physical device. We grab the indev from  
> iptables
> # and use this for the interface on which to send resets. This config
> # option takes an argument for the src mac address you want to use  
> in the
> # reset packet.  This way the bridge can remain stealthy. If the  
> src mac
> # option is not set we use the mac address of the indev device. If we
> # don't set this option we will default to sending resets via raw  
> socket,
> # which needs an ipaddress to be assigned to the int.
> #
> # config layer2resets: 00:06:76:DD:5F:E3
>
> ###################################################
> # Step #2: Configure dynamic loaded libraries
> #
> # If snort was configured to use dynamically loaded libraries,
> # those libraries can be loaded here.
> #
> # Each of the following configuration options can be done via
> # the command line as well.
> #
> # Load all dynamic preprocessors from the install path
> # (same as command line option --dynamic-preprocessor-lib-dir)
> #
>
> dynamicpreprocessor directory c:\Snort\lib\snort_dynamicpreprocessor
>
> #
> # Load a specific dynamic preprocessor library from the install path
> # (same as command line option --dynamic-preprocessor-lib)
> #
> # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/ 
> libdynamicexample.so
> #
> # Load a dynamic engine from the install path
> # (same as command line option --dynamic-engine-lib)
> #
>
> dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
>
> #
> # Load all dynamic rules libraries from the install path
> # (same as command line option --dynamic-detection-lib-dir)
> #
> #dynamicdetection directory c:\snort\lib\snort_dynamicrule\
> #
> # Load a specific dynamic rule library from the install path
> # (same as command line option --dynamic-detection-lib)
> #
> # dynamicdetection file /usr/local/lib/snort_dynamicrule/ 
> libdynamicexamplerule.so
> #
>
> ###################################################
> # Step #3: Configure preprocessors
> #
> # General configuration for preprocessors is of
> # the form
> # preprocessor <name_of_processor>: <configuration_options>
>
> # Configure Flow tracking module
> # -------------------------------
> #
> # The Flow tracking module is meant to start unifying the state  
> keeping
> # mechanisms of snort into a single place. Right now, only a  
> portscan detector
> # is implemented but in the long term,  many of the stateful  
> subsystems of
> # snort will be migrated over to becoming flow plugins. This must  
> be enabled
> # for flow-portscan to work correctly.
> #
> # See README.flow for additional information
> #
> preprocessor flow: stats_interval 0 hash 2
>
> # frag2: IP defragmentation support
> # -------------------------------
> # This preprocessor performs IP defragmentation.  This plugin will  
> also detect
> # people launching fragmentation attacks (usually DoS) against  
> hosts.  No
> # arguments loads the default configuration of the preprocessor,  
> which is a 60
> # second timeout and a 4MB fragment buffer.
>
> # The following (comma delimited) options are available for frag2
> #    timeout [seconds] - sets the number of [seconds] that an  
> unfinished
> #                        fragment will be kept around waiting for  
> completion,
> #                        if this time expires the fragment will be  
> flushed
> #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> #                      (default:  4194304)
> #
> #    min_ttl [number] - minimum ttl to accept
> #
> #    ttl_limit [number] - difference of ttl to accept without alerting
> #                         will cause false positves with router flap
> #
> # Frag2 uses Generator ID 113 and uses the following SIDS
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Oversized fragment (reassembled frag > 64k bytes)
> #   2       Teardrop-type attack
>
> #preprocessor frag2
>
> # frag3: Target-based IP defragmentation
> # --------------------------------------
> #
> # Frag3 is a brand new IP defragmentation preprocessor that is  
> capable of
> # performing "target-based" processing of IP fragments.  Check out the
> # README.frag3 file in the doc directory for more background and  
> configuration
> # information.
> #
> # Frag3 configuration is a two step process, a global  
> initialization phase
> # followed by the definition of a set of defragmentation engines.
> #
> # Global configuration defines the number of fragmented packets  
> that Snort can
> # track at the same time and gives you options regarding the memory  
> cap for the
> # subsystem or, optionally, allows you to preallocate all the  
> memory for the
> # entire frag3 system.
> #
> # frag3_global options:
> #   max_frags: Maximum number of frag trackers that may be active  
> at once.
> #              Default value is 8192.
> #   memcap: Maximum amount of memory that frag3 may access at any  
> given time.
> #           Default value is 4MB.
> #   prealloc_frags: Maximum number of individual fragments that may  
> be processed
> #                   at once.  This is instead of the memcap system,  
> uses static
> #                   allocation to increase performance.  No default  
> value.  Each
> #                   preallocated fragment eats ~1550 bytes.
> #
> # Target-based behavior is attached to an engine as a "policy" for  
> handling
> # overlaps and retransmissions as enumerated in the Paxson paper.   
> There are
> # currently five policy types available: "BSD", "BSD-right",  
> "First", "Linux"
> # and "Last".  Engines can be bound to bound to standard Snort CIDR  
> blocks or
> # IP lists.
> #
> # frag3_engine options:
> #   timeout: Amount of time a fragmented packet may be active  
> before expiring.
> #            Default value is 60 seconds.
> #   ttl_limit: Limit of delta allowable for TTLs of packets in the  
> fragments.
> #              Based on the initial received fragment TTL.
> #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs  
> below this
> #            value will be discarded.  Default value is 0.
> #   detect_anomalies: Activates frag3's anomaly detection mechanisms.
> #   policy: Target-based policy to assign to this engine.  Default  
> is BSD.
> #   bind_to: IP address set to bind this engine to.  Default is all  
> hosts.
> #
> # Frag3 configuration example:
> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
> #preprocessor frag3_engine: policy linux \
> #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
> #                           detect_anomalies
> #preprocessor frag3_engine: policy first \
> #                           bind_to 10.2.1.0/24 \
> #                           detect_anomalies
> #preprocessor frag3_engine: policy last \
> #                           bind_to 10.3.1.0/24
> #preprocessor frag3_engine: policy bsd
>
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
>
>
> # stream4: stateful inspection/stream reassembly for Snort
> #--------------------------------------------------------------------- 
> -
> # Use in concert with the -z [all|est] command line switch to  
> defeat stick/snot
> # against TCP rules.  Also performs full TCP stream reassembly,  
> stateful
> # inspection of TCP streams, etc.  Can statefully detect various  
> portscan
> # types, fingerprinting, ECN, etc.
>
> # stateful inspection directive
> # no arguments loads the defaults (timeout 30, memcap 8388608)
> # options (options are comma delimited):
> #   detect_scans - stream4 will detect stealth portscans and  
> generate alerts
> #                  when it sees them when this option is set
> #   detect_state_problems - detect TCP state problems, this tends  
> to be very
> #                           noisy because there are a lot of crappy  
> ip stack
> #                           implementations out there
> #
> #   disable_evasion_alerts - turn off the possibly noisy mitigation of
> #                            overlapping sequences.
> #
> #
> #   min_ttl [number]       - set a minium ttl that snort will  
> accept to
> #                            stream reassembly
> #
> #   ttl_limit [number]     - differential of the initial ttl on a  
> session versus
> #                             the normal that someone may be  
> playing games.
> #                             Routing flap may cause lots of false  
> positives.
> #
> #   keepstats [machine|binary] - keep session statistics, add  
> "machine" to
> #                         get them in a flat format for machine  
> reading, add
> #                         "binary" to get them in a unified binary  
> output
> #                         format
> #   noinspect - turn off stateful inspection only
> #   timeout [number] - set the session timeout counter to [number]  
> seconds,
> #                      default is 30 seconds
> #   max_sessions [number] - limit the number of sessions stream4 keeps
> #                         track of
> #   memcap [number] - limit stream4 memory usage to [number] bytes
> #   log_flushed_streams - if an event is detected on a stream this  
> option will
> #                         cause all packets that are stored in the  
> stream4
> #                         packet buffers to be flushed to disk.   
> This only
> #                         works when logging in pcap mode!
> #   server_inspect_limit [bytes] - Byte limit on server side  
> inspection.
> #
> # Stream4 uses Generator ID 111 and uses the following SIDS
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Stealth activity
> #   2       Evasive RST packet
> #   3       Evasive TCP packet retransmission
> #   4       TCP Window violation
> #   5       Data on SYN packet
> #   6       Stealth scan: full XMAS
> #   7       Stealth scan: SYN-ACK-PSH-URG
> #   8       Stealth scan: FIN scan
> #   9       Stealth scan: NULL scan
> #   10      Stealth scan: NMAP XMAS scan
> #   11      Stealth scan: Vecna scan
> #   12      Stealth scan: NMAP fingerprint scan stateful detect
> #   13      Stealth scan: SYN-FIN scan
> #   14      TCP forward overlap
>
> preprocessor stream4: disable_evasion_alerts
>
> # tcp stream reassembly directive
> # no arguments loads the default configuration
> #   Only reassemble the client,
> #   Only reassemble the default list of ports (See below),
> #   Give alerts for "bad" streams
> #
> # Available options (comma delimited):
> #   clientonly - reassemble traffic for the client side of a  
> connection only
> #   serveronly - reassemble traffic for the server side of a  
> connection only
> #   both - reassemble both sides of a session
> #   noalerts - turn off alerts from the stream reassembly stage of  
> stream4
> #   ports [list] - use the space separated list of ports in [list],  
> "all"
> #                  will turn on reassembly for all ports, "default"  
> will turn
> #                  on reassembly for ports 21, 23, 25, 42, 53, 80,  
> 110,
> #                  111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521,
> #                  and 3306
> #   favor_old - favor an old segment (based on sequence number)  
> over a new one.
> #               This is the default.
> #   favor_new - favor an new segment (based on sequence number)  
> over an old one.
> #   flush_behavior [mode] -
> #           default      - use old static flushpoints (default)
> #           large_window - use new larger static flushpoints
> #           random       - use random flushpoints defined by  
> flush_base,
> #                          flush_seed and flush_range
> #   flush_base [number] - lowest allowed random flushpoint (512 by  
> default)
> #   flush_range [number] - number is the space within which random  
> flushpoints
> #                          are generated (default 1213)
> #   flush_seed [number] - seed for the random number generator,  
> defaults to
> #                         Snort PID + time
> #
> # Using the default random flushpoints, the smallest flushpoint is  
> 512,
> # and the largest is 1725 bytes.
> preprocessor stream4_reassemble
>
> # Performance Statistics
> # ----------------------
> # Documentation for this is provided in the Snort Manual.  You  
> should read it.
> # It is included in the release distribution as doc/snort_manual.pdf
> #
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats  
> pktcnt 10000
>
> # http_inspect: normalize and detect HTTP traffic and protocol  
> anomalies
> #
> # lots of options available here. See doc/README.http_inspect.
> # unicode.map should be wherever your snort.conf lives, or given
> # a full path to where snort can find it.
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> #
> #  Example unique server configuration
> #
> #preprocessor http_inspect_server: server 1.1.1.1 \
> #    ports { 80 3128 8080 } \
> #    flow_depth 0 \
> #    ascii no \
> #    double_decode yes \
> #    non_rfc_char { 0x00 } \
> #    chunk_length 500000 \
> #    non_strict \
> #    oversize_dir_length 300 \
> #    no_alerts
>
>
> # rpc_decode: normalize RPC traffic
> # ---------------------------------
> # RPC may be sent in alternate encodings besides the usual 4-byte  
> encoding
> # that is used by default. This plugin takes the port numbers that RPC
> # services are running on as arguments - it is assumed that the  
> given ports
> # are actually running this type of service. If not, change the  
> ports or turn
> # it off.
> # The RPC decode preprocessor uses generator ID 106
> #
> # arguments: space separated list
> # alert_fragments - alert on any rpc fragmented TCP data
> # no_alert_multiple_requests - don't alert when >1 rpc query is in  
> a packet
> # no_alert_large_fragments - don't alert when the fragmented
> #                            sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> #                       exceeds the current packet size
>
> preprocessor rpc_decode: 111 32771
>
> # bo: Back Orifice detector
> # -------------------------
> # Detects Back Orifice traffic on the network.
> #
> # arguments:
> #   syntax:
> #     preprocessor bo: noalert { client | server | general |  
> snort_attack } \
> #                      drop    { client | server | general |  
> snort_attack }
> #   example:
> #     preprocessor bo: noalert { general server } drop  
> { snort_attack }
>
> #
> # The Back Orifice detector uses Generator ID 105 and uses the
> # following SIDS for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Back Orifice traffic detected
> #   2       Back Orifice Client Traffic Detected
> #   3       Back Orifice Server Traffic Detected
> #   4       Back Orifice Snort Buffer Attack
>
> preprocessor bo
>
> # telnet_decode: Telnet negotiation string normalizer
> # ---------------------------------------------------
> # This preprocessor "normalizes" telnet negotiation strings from  
> telnet and ftp
> # traffic.  It works in much the same way as the http_decode  
> preprocessor,
> # searching for traffic that breaks up the normal data stream of a  
> protocol and
> # replacing it with a normalized representation of that traffic so  
> that the
> # "content" pattern matching keyword can work without requiring  
> modifications.
> # This preprocessor requires no arguments.
> #
> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
> #preprocessor telnet_decode
> #
> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and  
> buff overflow
> #  
> ---------------------------------------------------------------------- 
> -----
> # This preprocessor normalizes telnet negotiation strings from  
> telnet and
> # ftp traffic.  It looks for traffic that breaks the normal data  
> stream
> # of the protocol, replacing it with a normalized representation of  
> that
> # traffic so that the "content" pattern matching keyword can work  
> without
> # requiring modifications.
> #
> # It also performs protocol correctness checks for the FTP command  
> channel,
> # and identifies open FTP data transfers.
> #
> # FTPTelnet has numerous options available, please read
> # README.ftptelnet for help configuring the options for the global
> # telnet, ftp server, and ftp client sections for the protocol.
>
> #####
> # Per Step #2, set the following to load the ftptelnet preprocessor
> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>
> preprocessor ftp_telnet: global \
>    encrypted_traffic yes \
>    inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
>    normalize \
>    ayt_attack_thresh 200
>
> # This is consistent with the FTP rules as of 18 Sept 2004.
> # CWD can have param length of 200
> # MODE has an additional mode of Z (compressed)
> # Check for string formats in USER & PASS commands
> # Check nDTM commands that set modification time on the file.
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    alt_max_param_len 200 { CWD } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>    telnet_cmds yes \
>    data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
>    max_resp_len 256 \
>    bounce yes \
>    telnet_cmds yes
>
> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
> #  
> ---------------------------------------------------------------------- 
> -----
> # This preprocessor normalizes SMTP commands by removing extraneous  
> spaces.
> # It looks for overly long command lines, response lines, and data  
> header lines.
> # It can alert on invalid commands, or specific valid commands.  It  
> can optionally
> # ignore mail data, and can ignore TLS encrypted data.
> #
> # It also performs protocol correctness checks for the FTP command  
> channel,
> # and identifies open FTP data transfers.
> #
> # SMTP has numerous options available, please read README.smtp for  
> help
> # configuring options.
>
> #####
> # Per Step #2, set the following to load the smtp preprocessor
> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>
> preprocessor smtp: \
>   ports { 25 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
>
> # sfPortscan
> # ----------
> # Portscan detection module.  Detects various types of portscans and
> # portsweeps.  For more information on detection philosophy, alert  
> types,
> # and detailed portscan information, please refer to the  
> README.sfportscan.
> #
> # -configuration options-
> #     proto { tcp udp icmp ip all }
> #       The arguments to the proto option are the types of protocol  
> scans that
> #       the user wants to detect.  Arguments should be separated by  
> spaces and
> #       not commas.
> #     scan_type { portscan portsweep decoy_portscan  
> distributed_portscan all }
> #       The arguments to the scan_type option are the scan types  
> that the
> #       user wants to detect.  Arguments should be separated by  
> spaces and not
> #       commas.
> #     sense_level { low|medium|high }
> #       There is only one argument to this option and it is the  
> level of
> #       sensitivity in which to detect portscans.  The 'low'  
> sensitivity
> #       detects scans by the common method of looking for response  
> errors, such
> #       as TCP RSTs or ICMP unreachables.  This level requires the  
> least
> #       tuning.  The 'medium' sensitivity level detects portscans and
> #       filtered portscans (portscans that receive no response).  This
> #       sensitivity level usually requires tuning out scan events  
> from NATed
> #       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
> #       lower thresholds for portscan detection and a longer time  
> window than
> #       the 'medium' sensitivity level.  Requires more tuning and  
> may be noisy
> #       on very active networks.  However, this sensitivity levels  
> catches the
> #       most scans.
> #     memcap { positive integer }
> #       The maximum number of bytes to allocate for portscan  
> detection.  The
> #       higher this number the more nodes that can be tracked.
> #     logfile { filename }
> #       This option specifies the file to log portscan and detailed  
> portscan
> #       values to.  If there is not a leading /, then snort logs to  
> the
> #       configured log directory.  Refer to README.sfportscan for  
> details on
> #       the logged values in the logfile.
> #     watch_ip { Snort IP List }
> #     ignore_scanners { Snort IP List }
> #     ignore_scanned { Snort IP List }
> #       These options take a snort IP list as the argument.  The  
> 'watch_ip'
> #       option specifies the IP(s) to watch for portscan.  The
> #       'ignore_scanners' option specifies the IP(s) to ignore as  
> scanners.
> #       Note that these hosts are still watched as scanned hosts.  The
> #       'ignore_scanners' option is used to tune alerts from very  
> active
> #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'  
> option
> #       specifies the IP(s) to ignore as scanned hosts.  Note that  
> these hosts
> #       are still watched as scanner hosts.  The 'ignore_scanned'  
> option is
> #       used to tune alerts from very active hosts such as syslog  
> servers, etc.
> #     detect_ack_scans
> #       This option will include sessions picked up in midstream by  
> the stream
> #       module, which is necessary to detect ACK scans.  However,  
> this can lead to
> #       false alerts, especially under heavy load with dropped  
> packets; which is why
> #       the option is off by default.
> #
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low }
>
> # arpspoof
> #----------------------------------------
> # Experimental ARP detection code from Jeff Nathan, detects ARP  
> attacks,
> # unicast ARP requests, and specific ARP mapping monitoring.  To  
> make use of
> # this preprocessor you must specify the IP and hardware address of  
> hosts on
> # the same layer 2 segment as you.  Specify one host IP MAC combo  
> per line.
> # Also takes a "-unicast" option to turn on unicast ARP request  
> detection.
> # Arpspoof uses Generator ID 112 and uses the following SIDS for  
> that GID:
>
> #  SID     Event description
> # -----   -------------------
> #   1       Unicast ARP request
> #   2       Etherframe ARP mismatch (src)
> #   3       Etherframe ARP mismatch (dst)
> #   4       ARP cache overwrite attack
>
> #preprocessor arpspoof
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
> ####################################################################
> # Step #4: Configure output plugins
> #
> # Uncomment and configure the output plugins you decide to use.   
> General
> # configuration for output plugins is of the form:
> #
> # output <name_of_plugin>: <configuration_options>
> #
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments.  Win32 can also  
> optionally
> # specify a particular hostname/port.  Under Win32, the default  
> hostname is
> # '127.0.0.1', and the default port is 514.
> #
> # [Unix flavours should use this format...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> #
> # [Win32 can use any of these formats...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> output alert_syslog: host=localhost:3261, LOG_AUTH LOG_ALERT
>
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: c:\snort\log\tcpdump.log
>
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring
> # and using this plugin.
> #
> # output database: log, mysql, user=root password=test dbname=db  
> host=localhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, odbc, user=snort dbname=snort
> output database: log, mssql, dbname=snortdB user=snortusr  
> password=xxx host=localhost port=3261
> # output database: alert, mssql, dbname=snortdB user=snortusr  
> password=xxx host=localhost
>
> # unified: Snort unified binary format alerting and logging
> # -------------------------------------------------------------
> # The unified output plugin provides two new formats for logging  
> and generating
> # alerts from Snort, the "unified" format.  The unified format is a  
> straight
> # binary format for logging data out of Snort that is designed to  
> be fast and
> # efficient.  Used with barnyard (the new alert/log processor),  
> most of the
> # overhead for logging and alerting to various slow storage  
> mechanisms such as
> # databases or the network can now be avoided.
> #
> # Check out the spo_unified.h file for the data formats.
> #
> # Two arguments are supported.
> #    filename - base filename to write to (current time_t is appended)
> #    limit    - maximum size of spool file in MB (default: 128)
> #
> # output alert_unified: filename snort.alert, limit 128
> # output log_unified: filename snort.log, limit 128
>
>
> # prelude: log to the Prelude Hybrid IDS system
> # ---------------------------------------------
> #
> # profile = Name of the Prelude profile to use (default is snort).
> #
> # Snort priority to IDMEF severity mappings:
> # high < medium < low < info
> #
> # These are the default mapped from classification.config:
> # info   = 4
> # low    = 3
> # medium = 2
> # high   = anything below medium
> #
> # output alert_prelude
> # output alert_prelude: profile=snort-profile-name
>
>
> # You can optionally define new rule types and associate one or  
> more output
> # plugins specifically to that type.
> #
> # This example will create a type that will log to just tcpdump.
> # ruletype suspicious
> # {
> #   type log
> #   output log_tcpdump: suspicious.log
> # }
> #
> # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC  
> Server";)
> #
> # This example will create a rule type that will log to syslog and  
> a mysql
> # database:
> # ruletype redalert
> # {
> #   type alert
> #   output alert_syslog: LOG_AUTH LOG_ALERT
> #   output database: log, mssql, user=snortusr password=xxx  
> dbname=snortdB host=localhost }
> #
> # EXAMPLE RULE FOR REDALERT RULETYPE:
> # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
> #   (msg:"Someone is being LEET"; flags:A+;)
>
> # alert tcp any any -> $HOME_NET any (msg:"TCP traffic";)
>
> #
> # Include classification & priority settings
> # Note for Windows users:  You are advised to make this an absolute  
> path,
> # such as:  c:\snort\etc\classification.config
> #
>
> include c:\snort\etc\classification.config
>
> #
> # Include reference systems
> # Note for Windows users:  You are advised to make this an absolute  
> path,
> # such as:  c:\snort\etc\reference.config
> #
>
> include c:\snort\etc\reference.config
>
> ####################################################################
> # Step #5: Configure snort with config statements
> #
> # See the snort manual for a full set of configuration references
> #
> # config flowbits_size: 64
> #
> # New global ignore_ports config option from Andy Mullican
> #
> # config ignore_ports: <tcp|udp> <list of ports separated by  
> whitespace>
> # config ignore_ports: tcp 21 6667:6671 1356
> # config ignore_ports: udp 1:17 53
>
>
> ####################################################################
> # Step #6: Customize your rule set
> #
> # Up to date snort rules are available at http://www.snort.org
> #
> # The snort web site has documentation about how to write your own  
> custom snort
> # rules.
>
> #=========================================
> # Include all relevant rulesets here
> #
> # The following rulesets are disabled by default:
> #
> #   web-attacks, backdoor, shellcode, policy, porn, info, icmp- 
> info, virus,
> #   chat, multimedia, and p2p
> #
> # These rules are either site policy specific or require tuning in  
> order to not
> # generate false positive alerts in most enviornments.
> #
> # Please read the specific include file for more information and
> # README.alert_order for how rule ordering affects how alerts are  
> triggered.
> #=========================================
>
> include $RULE_PATH\local.rules
> include $RULE_PATH\bad-traffic.rules
> include $RULE_PATH\exploit.rules
> include $RULE_PATH\scan.rules
> include $RULE_PATH\finger.rules
> include $RULE_PATH\ftp.rules
> include $RULE_PATH\telnet.rules
> include $RULE_PATH\rpc.rules
> include $RULE_PATH\rservices.rules
> include $RULE_PATH\dos.rules
> include $RULE_PATH\ddos.rules
> include $RULE_PATH\dns.rules
> include $RULE_PATH\tftp.rules
>
> include $RULE_PATH\web-cgi.rules
> include $RULE_PATH\web-coldfusion.rules
> include $RULE_PATH\web-iis.rules
> include $RULE_PATH\web-frontpage.rules
> include $RULE_PATH\web-misc.rules
> include $RULE_PATH\web-client.rules
> include $RULE_PATH\web-php.rules
>
> include $RULE_PATH\sql.rules
> include $RULE_PATH\x11.rules
> include $RULE_PATH\icmp.rules
> include $RULE_PATH\netbios.rules
> include $RULE_PATH\misc.rules
> include $RULE_PATH\attack-responses.rules
> include $RULE_PATH\oracle.rules
> include $RULE_PATH\mysql.rules
> include $RULE_PATH\snmp.rules
>
> include $RULE_PATH\smtp.rules
> include $RULE_PATH\imap.rules
> include $RULE_PATH\pop2.rules
> include $RULE_PATH\pop3.rules
>
> include $RULE_PATH\nntp.rules
> include $RULE_PATH\other-ids.rules
> # include $RULE_PATH/web-attacks.rules
> # include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/virus.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> # include $RULE_PATH/spyware-put.rules
> include $RULE_PATH\experimental.rules
>
> # Include any thresholding or suppression commands. See  
> threshold.conf in the
> # <snort src>/etc directory for details. Commands don't necessarily  
> need to be
> # contained in this conf, but a separate conf makes it easier to  
> maintain them.
> # Note for Windows users:  You are advised to make this an absolute  
> path,
> include c:\snort\etc\threshold.conf
> # Uncomment if needed.
> # include threshold.conf
>
>
>
> From: "David Lantz" <becuz1am at ...125...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] error: log_tcpdump TcpdumpInitlogefile():no  
> error
> Date: Sun, 17 Sep 2006 20:12:27 -0400
>
> snort 2.6.01 win32
>
> mssql 2000 on localhost
>
> used create_mssql in /schemas for db
>
> get the following error...
>
> database: SQL Server message 5701, state 2, severity 0:
>         Changed database context to 'snortdB'.
> Server ''server\database'
> database: SQL Server message 5701, state 1, severity 0:
>         Changed database context to 'snortdB'.
> Server 'server\database', Line 1
> database:     sensor id = 1
> database: schema version = 107
> database: using the "log" facility
> ERROR: log_tcpdump TcpdumpInitLogFile(): No error
> Fatal Error, Quitting...
>
>
> >--------------------------------------------------------------------- 
> ----
> >Using Tomcat but need to do more? Need to support web services,  
> security?
> >Get stuff done quickly with pre-integrated technology to make your  
> job easier
> >Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> >http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
>
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642______________________________ 
> _________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
        Snort - Open Source Network IPS/IDS -- http://www.snort.org
          gpg key: http://demo.sourcefire.com/jesler.pgp.key
            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+






More information about the Snort-users mailing list