[Snort-users] Use two nics

John M. Krumenacker krums at ...14015...
Wed Jan 3 16:48:04 EST 2007


I thought config was good. Here is eth0 and eth1. I will also check
locations mentioned in other messages. 

Thanks so much everyone!


eth0 is 

# Intel Corporation 82562EZ 10/100 Ethernet Controller
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:13:20:4E:CC:B9
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes
TYPE=Ethernet
NETMASK=255.255.255.0
DHCP_HOSTNAME=FC5ENG1.bplnoc.com
IPADDR=192.168.1.101
GATEWAY=192.168.1.1

and then eth1 is 


# Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+
DEVICE=eth1
BOOTPROTO=none
HWADDR=00:30:BD:1F:09:9A
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes







On Wed, 2007-01-03 at 15:36 -0600, Bush, Jason R CTR NAVSURFWARCENDIV,
NSWC Crane wrote:
> I run CentOS and was able to get this working without a problem.  Check
> your interface configuration file
> (/etc/sysconfig/network-scripts/ifcfg-eth0) and have it resemble the
> following:
> 
> DEVICE=eth0
> BOOTPROTO=none
> ONBOOT=yes
> TYPE=Ethernet
> 
> I then have my management interface configured
> (/etc/sysconfig/network-scripts/ifcfg-eth1) as follows:
> 
> DEVICE=eth1
> BOOTPROTO=none
> BROADCAST=X.X.X.X
> HWADDR=XX:XX:XX:XX:XX:XX
> IPADDR=X.X.X.X
> NETMASK=X.X.X.X
> NETWORK=X.X.X.X
> ONBOOT=yes
> TYPE=Ethernet
> HOSTNAME=host.domain.com
> USERCTL=no
> PEERDNS=yes
> IPV6INIT=no
> 
> Since yours is running on eth1, try using what I have for eth0 for your
> eth1, or swap the cables and change the init file back to eth0.  Good
> luck.
> 
> 
> Jason R. Bush 
> 
> 
> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of John M.
> Krumenacker
> Sent: Wednesday, January 03, 2007 3:17 PM
> To: snort
> Subject: [Snort-users] Use two nics
> 
> 
> Hello - 
> 
> I would like to be able to use two NICS with my snort machine but for
> some reason I have not been able to get this to work properly. Is there
> a default way to set this up or is it more complicated?
> 
> eth0 - management (192.168.1.0/24 subnet)
> eth1 - NIDS (no IP)
> 
> Both are in the same switch - a cisco 2900
> 
> I have configured (on Fedora 5) /etc/init.d/snort to use eth0
> 
> I will attach here the contents of /etc/init.d/snort
> and /etc/snort/snort.conf. Can you kindly have a look and see what I may
> have messed up?
> ************************************************************************
> **************
> (the stars are here for a separator and not in the actual file)
> ************************************************************************
> **************
> #!/bin/sh
> #
> # chkconfig: 2345 99 82
> # description: Starts and stops the snort intrusion detection system # #
> config: /etc/snort/snort.conf # processname: snort
> 
> # Source function library
> . /etc/rc.d/init.d/functions
> 
> BASE=snort
> DAEMON="-D"
> INTERFACE="-i eth1"
> CONF="/etc/snort/snort.conf"
> 
> # Check that $BASE exists.
> [ -f /usr/local/bin/$BASE ] || exit 0
> 
> # Source networking configuration.
> . /etc/sysconfig/network
> 
> # Check that networking is up.
> [ ${NETWORKING} = "no" ] && exit 0
> 
> RETVAL=0
> # See how we were called.
> case "$1" in
>   start)
>         if [ -n "`/sbin/pidof $BASE`" ]; then
>                 echo -n $"$BASE: already running"
>                 echo ""
>                 exit $RETVAL
>         fi
>         echo -n "Starting snort service: "
>         /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
>         sleep 1
>         action "" /sbin/pidof $BASE
>         RETVAL=$?
>         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
>         ;;
>   stop)
>         echo -n "Shutting down snort service: "
>         killproc $BASE
>         RETVAL=$?
>         echo
>         [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
>         ;;
>   restart|reload)
>         $0 stop
>         $0 start
>         RETVAL=$?
>         ;;
>   status)
>         status $BASE
>         RETVAL=$?
>         ;;
>   *)
>         echo "Usage: snort {start|stop|restart|reload|status}"
>         exit 1
> esac
> 
> exit $RETVAL
> 
> 
> ************************************************************************
> **************
> end of /etc/init.d/snort
> ************************************************************************
> **************
> 
> ************************************************************************
> **************
> Begin /etc/snort/snort.conf
> ************************************************************************
> **************
> 
> #--------------------------------------------------
> #   http://www.snort.org     Snort 2.6.1.2 Ruleset
> #     Contact: snort-sigs at lists.sourceforge.net
> #--------------------------------------------------
> # $Id$
> #
> ###################################################
> # This file contains a sample snort configuration. 
> # You can take the following steps to create your own custom
> configuration:
> #
> #  1) Set the variables for your network
> #  2) Configure dynamic loaded libraries
> #  3) Configure preprocessors
> #  4) Configure output plugins
> #  5) Add any runtime config directives
> #  6) Customize your rule set
> #
> ###################################################
> # Step #1: Set the network variables:
> #
> # You must change the following variables to reflect your local network.
> The # variable is currently setup for an RFC 1918 address space. # # You
> can specify it explicitly as: 
> #
>  var HOME_NET 192.168.1.0/24
> #
> # or use global variable $<interfacename>_ADDRESS which will be always #
> initialized to IP address and netmask of the network interface which you
> run # snort at.  Under Windows, this must be specified as #
> $(<interfacename>_ADDRESS), such as: #
> $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> #
> # var HOME_NET $eth0_ADDRESS
> #
> # You can specify lists of IP addresses for HOME_NET
> # by separating the IPs with commas like this:
> #
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> #
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> #
> # or you can specify the variable to be any IP address
> # like this:
> 
> #var HOME_NET any
> 
> # Set up the external network addresses as well.  A good start may be
> "any" var EXTERNAL_NET !$HOME_NET
> 
> # Configure your server lists.  This allows snort to only look for
> attacks to # systems that have a service up.  Why look for HTTP attacks
> if you are not # running a web server?  This allows quick filtering
> based on IP addresses # These configurations MUST follow the same
> configuration scheme as defined # above for $HOME_NET.  
> 
> # List of DNS servers on your network 
> var DNS_SERVERS $HOME_NET
> 
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
> 
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
> 
> # List of sql servers on your network 
> var SQL_SERVERS $HOME_NET
> 
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
> 
> # List of snmp servers on your network
> var SNMP_SERVERS $HOME_NET
> 
> # Configure your service ports.  This allows snort to look for attacks
> destined # to a specific application only on the ports that application
> runs on. For # example, if you run a web server on port 8081, set your
> HTTP_PORTS variable # like this: # # var HTTP_PORTS 8081 # # Port lists
> must either be continuous [eg 80:8080], or a single port [eg 80]. # We
> will adding support for a real list of ports in the future.
> 
> # Ports you run web servers on
> #
> # Please note:  [80,8080] does not work.
> # If you wish to define multiple HTTP ports, use the following
> convention # when customizing your rule set (as part of Step #6 below).
> This should # not be done here, as the rules files may depend on the
> classifications # and/or references, which are included below. # 
> ## var HTTP_PORTS 80 
> ## include somefile.rules 
> ## var HTTP_PORTS 8080
> ## include somefile.rules 
> var HTTP_PORTS 80
> 
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
> 
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
> 
> # other variables
> # 
> # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
> # modifying the signatures when they do, we add them to this list of
> servers. var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/2
> 4,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.15
> 3.0/24,205.188.179.0/24,205.188.248.0/24]
> 
> # Path to your rules files (this can be a relative path)
> # Note for Windows users:  You are advised to make this an absolute
> path, # such as:  c:\snort\rules var RULE_PATH /etc/snort/rules
> 
> # Configure the snort decoder
> # ============================
> #
> # Snort's decoder will alert on lots of things such as header
> # truncation or options of unusual length or infrequently used tcp
> options # # # Stop generic decode events: # # config
> disable_decode_alerts # # Stop Alerts on experimental TCP options # #
> config disable_tcpopt_experimental_alerts
> #
> # Stop Alerts on obsolete TCP options
> #
> # config disable_tcpopt_obsolete_alerts
> #
> # Stop Alerts on T/TCP alerts
> #
> # In snort 2.0.1 and above, this only alerts when a TCP option is
> detected # that shows T/TCP being actively used on the network.  If this
> is normal # behavior for your network, disable the next option. # #
> config disable_tcpopt_ttcp_alerts # # Stop Alerts on all other TCPOption
> type events: # # config disable_tcpopt_alerts # # Stop Alerts on invalid
> ip options # # config disable_ipopt_alerts # # Alert if value in length
> field (IP, TCP, UDP) is greater than the # actual length of the captured
> portion of the packet that the length # is supposed to represent: # #
> config enable_decode_oversized_alerts # # Same as above, but drop packet
> if in Inline mode - # enable_decode_oversized_alerts must be enabled for
> this to work: # # config enable_decode_oversized_drops #
> 
> # Configure the detection engine
> # ===============================
> #
> # Use a different pattern matcher in case you have a machine with very
> limited # resources: # # config detection: search-method lowmem
> 
> # Configure Inline Resets
> # ========================
> # 
> # If running an iptables firewall with snort in InlineMode() we can now
> # perform resets via a physical device. We grab the indev from iptables
> # and use this for the interface on which to send resets. This config #
> option takes an argument for the src mac address you want to use in the
> # reset packet.  This way the bridge can remain stealthy. If the src mac
> # option is not set we use the mac address of the indev device. If we #
> don't set this option we will default to sending resets via raw socket,
> # which needs an ipaddress to be assigned to the int. # # config
> layer2resets: 00:06:76:DD:5F:E3
> 
> ###################################################
> # Step #2: Configure dynamic loaded libraries
> #
> # If snort was configured to use dynamically loaded libraries, # those
> libraries can be loaded here. # # Each of the following configuration
> options can be done via # the command line as well. # # Load all dynamic
> preprocessors from the install path # (same as command line option
> --dynamic-preprocessor-lib-dir) # dynamicpreprocessor directory
> /usr/local/lib/snort_dynamicpreprocessor/
> #
> # Load a specific dynamic preprocessor library from the install path #
> (same as command line option --dynamic-preprocessor-lib) # #
> dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
> #
> # Load a dynamic engine from the install path
> # (same as command line option --dynamic-engine-lib)
> #
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> #
> # Load all dynamic rules libraries from the install path
> # (same as command line option --dynamic-detection-lib-dir)
> #
> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/ # # Load
> a specific dynamic rule library from the install path # (same as command
> line option --dynamic-detection-lib) # # dynamicdetection file
> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
> #
> 
> ###################################################
> # Step #3: Configure preprocessors
> #
> # General configuration for preprocessors is of 
> # the form
> # preprocessor <name_of_processor>: <configuration_options>
> 
> # Configure Flow tracking module
> # -------------------------------
> #
> # The Flow tracking module is meant to start unifying the state keeping
> # mechanisms of snort into a single place. Right now, only a portscan
> detector # is implemented but in the long term,  many of the stateful
> subsystems of # snort will be migrated over to becoming flow plugins.
> This must be enabled # for flow-portscan to work correctly. # # See
> README.flow for additional information # preprocessor flow:
> stats_interval 0 hash 2
> 
> # frag2: IP defragmentation support
> # -------------------------------
> # This preprocessor performs IP defragmentation.  This plugin will also
> detect # people launching fragmentation attacks (usually DoS) against
> hosts. No # arguments loads the default configuration of the
> preprocessor, which is a 60 # second timeout and a 4MB fragment buffer. 
> 
> # The following (comma delimited) options are available for frag2
> #    timeout [seconds] - sets the number of [seconds] that an
> unfinished 
> #                        fragment will be kept around waiting for
> completion,
> #                        if this time expires the fragment will be
> flushed
> #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> #                      (default:  4194304)
> #
> #    min_ttl [number] - minimum ttl to accept
> # 
> #    ttl_limit [number] - difference of ttl to accept without alerting
> #                         will cause false positves with router flap
> # 
> # Frag2 uses Generator ID 113 and uses the following SIDS 
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Oversized fragment (reassembled frag > 64k bytes)
> #   2       Teardrop-type attack
> 
> #preprocessor frag2
> 
> # frag3: Target-based IP defragmentation 
> # --------------------------------------
> #
> # Frag3 is a brand new IP defragmentation preprocessor that is capable
> of # performing "target-based" processing of IP fragments.  Check out
> the # README.frag3 file in the doc directory for more background and
> configuration # information. # 
> # Frag3 configuration is a two step process, a global initialization
> phase 
> # followed by the definition of a set of defragmentation engines.  
> # 
> # Global configuration defines the number of fragmented packets that
> Snort can # track at the same time and gives you options regarding the
> memory cap for the # subsystem or, optionally, allows you to preallocate
> all the memory for the 
> # entire frag3 system.
> #
> # frag3_global options:
> #   max_frags: Maximum number of frag trackers that may be active at
> once.  
> #              Default value is 8192.
> #   memcap: Maximum amount of memory that frag3 may access at any given
> time.
> #           Default value is 4MB.
> #   prealloc_frags: Maximum number of individual fragments that may be
> processed
> #                   at once.  This is instead of the memcap system, uses
> static 
> #                   allocation to increase performance.  No default
> value.  Each
> #                   preallocated fragment eats ~1550 bytes.
> #
> # Target-based behavior is attached to an engine as a "policy" for
> handling 
> # overlaps and retransmissions as enumerated in the Paxson paper.  There
> are # currently five policy types available: "BSD", "BSD-right",
> "First", "Linux" 
> # and "Last".  Engines can be bound to bound to standard Snort CIDR
> blocks or # IP lists. # # frag3_engine options:
> #   timeout: Amount of time a fragmented packet may be active before
> expiring.
> #            Default value is 60 seconds.
> #   ttl_limit: Limit of delta allowable for TTLs of packets in the
> fragments. 
> #              Based on the initial received fragment TTL.
> #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs
> below this
> #            value will be discarded.  Default value is 0.
> #   detect_anomalies: Activates frag3's anomaly detection mechanisms.
> #   policy: Target-based policy to assign to this engine.  Default is
> BSD.
> #   bind_to: IP address set to bind this engine to.  Default is all
> hosts.
> #
> # Frag3 configuration example:
> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
> #preprocessor frag3_engine: policy linux \
> #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
> #                           detect_anomalies
> #preprocessor frag3_engine: policy first \
> #                           bind_to 10.2.1.0/24 \
> #                           detect_anomalies
> #preprocessor frag3_engine: policy last \
> #                           bind_to 10.3.1.0/24
> #preprocessor frag3_engine: policy bsd
> 
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> 
> 
> # stream4: stateful inspection/stream reassembly for Snort
> #----------------------------------------------------------------------
> # Use in concert with the -z [all|est] command line switch to defeat
> stick/snot # against TCP rules.  Also performs full TCP stream
> reassembly, stateful # inspection of TCP streams, etc.  Can statefully
> detect various portscan # types, fingerprinting, ECN, etc.
> 
> # stateful inspection directive
> # no arguments loads the defaults (timeout 30, memcap 8388608) # options
> (options are comma delimited):
> #   detect_scans - stream4 will detect stealth portscans and generate
> alerts
> #                  when it sees them when this option is set
> #   detect_state_problems - detect TCP state problems, this tends to be
> very
> #                           noisy because there are a lot of crappy ip
> stack
> #                           implementations out there
> #
> #   disable_evasion_alerts - turn off the possibly noisy mitigation of
> #                            overlapping sequences.
> #
> #   ttl_limit [number]     - differential of the initial ttl on a
> session versus
> #                             the normal that someone may be playing
> games.
> #                             Routing flap may cause lots of false
> positives.
> # 
> #   keepstats [machine|binary] - keep session statistics, add "machine"
> to 
> #                         get them in a flat format for machine reading,
> add
> #                         "binary" to get them in a unified binary
> output 
> #                         format
> #   noinspect - turn off stateful inspection only
> #   timeout [number] - set the session timeout counter to [number]
> seconds,
> #                      default is 30 seconds
> #   max_sessions [number] - limit the number of sessions stream4 keeps
> #                         track of
> #   memcap [number] - limit stream4 memory usage to [number] bytes (does
> #                     not include session tracking, which is set by the
> #                     max_sessions option)
> #   log_flushed_streams - if an event is detected on a stream this
> option will
> #                         cause all packets that are stored in the
> stream4
> #                         packet buffers to be flushed to disk.  This
> only 
> #                         works when logging in pcap mode!
> #   server_inspect_limit [bytes] - Byte limit on server side inspection.
> #   enable_udp_sessions - turn on tracking of "sessions" over UDP.
> Requires
> #                         configure --enable-stream4udp.  UDP sessions
> are
> #                         only created when there is a rule for the
> sender or
> #                         responder that has a flow or flowbits keyword.
> #   max_udp_sessions [number] - limit the number of simultaneous UDP
> sessions
> #                               to track
> #   udp_ignore_any - Do not inspect UDP packets unless there is a port
> specific
> #                    rule for a given port.  This is a performance
> improvement
> #                    and turns off inspection for udp xxx any -> xxx any
> rules
> #   cache_clean_sessions [number] - Cleanup the session cache by number
> sessions
> #                                   at a time.  The larger the value,
> the
> #                                   more sessions are purged from the
> cache when
> #                                   the session limit or memcap is
> reached.
> #                                   Defaults to 5.
> #   
> #   
> #
> # Stream4 uses Generator ID 111 and uses the following SIDS 
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Stealth activity
> #   2       Evasive RST packet
> #   3       Evasive TCP packet retransmission
> #   4       TCP Window violation
> #   5       Data on SYN packet
> #   6       Stealth scan: full XMAS
> #   7       Stealth scan: SYN-ACK-PSH-URG
> #   8       Stealth scan: FIN scan
> #   9       Stealth scan: NULL scan
> #   10      Stealth scan: NMAP XMAS scan
> #   11      Stealth scan: Vecna scan
> #   12      Stealth scan: NMAP fingerprint scan stateful detect
> #   13      Stealth scan: SYN-FIN scan
> #   14      TCP forward overlap
> 
> preprocessor stream4: disable_evasion_alerts
> 
> # tcp stream reassembly directive
> # no arguments loads the default configuration 
> #   Only reassemble the client,
> #   Only reassemble the default list of ports (See below),  
> #   Give alerts for "bad" streams
> #
> # Available options (comma delimited):
> #   clientonly - reassemble traffic for the client side of a connection
> only
> #   serveronly - reassemble traffic for the server side of a connection
> only
> #   both - reassemble both sides of a session
> #   noalerts - turn off alerts from the stream reassembly stage of
> stream4
> #   ports [list] - use the space separated list of ports in [list],
> "all" 
> #                  will turn on reassembly for all ports, "default" will
> turn
> #                  on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
> #                  111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521,
> #                  and 3306
> #   favor_old - favor an old segment (based on sequence number) over a
> new one.
> #               This is the default.
> #   favor_new - favor an new segment (based on sequence number) over an
> old one.
> #   overlap_limit [number] - limit on overlaping segments for a session.
> #   flush_on_alert - flushes stream when an alert is generated for a
> session.
> #   flush_behavior [mode] -
> #           default      - use old static flushpoints (default)
> #           large_window - use new larger static flushpoints
> #           random       - use random flushpoints defined by
> flush_base, 
> #                          flush_seed and flush_range
> #   flush_base [number] - lowest allowed random flushpoint (512 by
> default)
> #   flush_range [number] - number is the space within which random
> flushpoints
> #                          are generated (default 1213)
> #   flush_seed [number] - seed for the random number generator, defaults
> to 
> #                         Snort PID + time
> #
> # Using the default random flushpoints, the smallest flushpoint is 512,
> # and the largest is 1725 bytes. preprocessor stream4_reassemble
> preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139
> 143 445 513 1433
> 
> # stream5: Target Based stateful inspection/stream reassembly for Snort
> # ---------------------------------------------------------------------
> # EXPERIMENTAL CODE!!!
> #
> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE! # USE AT
> YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS. # YOU HAVE BEEN
> WARNED. # # Stream5 is a target-based stream engine for Snort.  Its
> functionality # replaces that of Stream4.  Consequently, BOTH Stream4
> and Stream5 # cannot be used simultaneously.  Comment out the stream4
> configurations # above to use Stream5. # 
> # See README.stream for details on the configuration options.
> #
> # Example config (that emulates Stream4 with UDP support compiled in) #
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> #                              track_udp yes
> # preprocessor stream5_tcp: policy first, use_static_footprint_sizes #
> preprocessor stream5_udp: ignore_any_rules
> 
> 
> # Performance Statistics
> # ----------------------
> # Documentation for this is provided in the Snort Manual.  You should
> read it. # It is included in the release distribution as
> doc/snort_manual.pdf # 
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> 10000
> 
> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
> # # lots of options available here. See doc/README.http_inspect. #
> unicode.map should be wherever your snort.conf lives, or given # a full
> path to where snort can find it. preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252 
> 
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500
> 
> #
> #  Example unique server configuration
> #
> #preprocessor http_inspect_server: server 1.1.1.1 \
> #    ports { 80 3128 8080 } \
> #    flow_depth 0 \
> #    ascii no \
> #    double_decode yes \
> #    non_rfc_char { 0x00 } \
> #    chunk_length 500000 \
> #    non_strict \
> #    oversize_dir_length 300 \
> #    no_alerts
> 
> 
> # rpc_decode: normalize RPC traffic
> # ---------------------------------
> # RPC may be sent in alternate encodings besides the usual 4-byte
> encoding # that is used by default. This plugin takes the port numbers
> that RPC # services are running on as arguments - it is assumed that the
> given ports # are actually running this type of service. If not, change
> the ports or turn # it off. # The RPC decode preprocessor uses generator
> ID 106 # # arguments: space separated list # alert_fragments - alert on
> any rpc fragmented TCP data # no_alert_multiple_requests - don't alert
> when >1 rpc query is in a packet # no_alert_large_fragments - don't
> alert when the fragmented
> #                            sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> #                       exceeds the current packet size
> 
> preprocessor rpc_decode: 111 32771
> 
> # bo: Back Orifice detector
> # -------------------------
> # Detects Back Orifice traffic on the network.
> #
> # arguments:  
> #   syntax:
> #     preprocessor bo: noalert { client | server | general |
> snort_attack } \
> #                      drop    { client | server | general |
> snort_attack }
> #   example:
> #     preprocessor bo: noalert { general server } drop { snort_attack }
> 
> # 
> # The Back Orifice detector uses Generator ID 105 and uses the 
> # following SIDS for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Back Orifice traffic detected
> #   2       Back Orifice Client Traffic Detected
> #   3       Back Orifice Server Traffic Detected
> #   4       Back Orifice Snort Buffer Attack
> 
> preprocessor bo
> 
> # telnet_decode: Telnet negotiation string normalizer
> # ---------------------------------------------------
> # This preprocessor "normalizes" telnet negotiation strings from telnet
> and ftp # traffic.  It works in much the same way as the http_decode
> preprocessor, # searching for traffic that breaks up the normal data
> stream of a protocol and # replacing it with a normalized representation
> of that traffic so that the # "content" pattern matching keyword can
> work without requiring modifications. # This preprocessor requires no
> arguments. # # DEPRECATED in favor of ftp_telnet dynamic preprocessor
> #preprocessor telnet_decode # # ftp_telnet: FTP & Telnet normalizer,
> protocol enforcement and buff overflow #
> ------------------------------------------------------------------------
> ---
> # This preprocessor normalizes telnet negotiation strings from telnet
> and # ftp traffic.  It looks for traffic that breaks the normal data
> stream # of the protocol, replacing it with a normalized representation
> of that # traffic so that the "content" pattern matching keyword can
> work without # requiring modifications. # # It also performs protocol
> correctness checks for the FTP command channel, # and identifies open
> FTP data transfers. # # FTPTelnet has numerous options available, please
> read # README.ftptelnet for help configuring the options for the global
> # telnet, ftp server, and ftp client sections for the protocol.
> 
> #####
> # Per Step #2, set the following to load the ftptelnet preprocessor #
> dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so> # or use
> commandline option # --dynamic-preprocessor-lib <full path to
> libsf_ftptelnet_preproc.so>
> 
> preprocessor ftp_telnet: global \
>    encrypted_traffic yes \
>    inspection_type stateful
> 
> preprocessor ftp_telnet_protocol: telnet \
>    normalize \
>    ayt_attack_thresh 200
> 
> # This is consistent with the FTP rules as of 18 Sept 2004.
> # CWD can have param length of 200
> # MODE has an additional mode of Z (compressed)
> # Check for string formats in USER & PASS commands
> # Check nDTM commands that set modification time on the file.
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    alt_max_param_len 200 { CWD } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>    telnet_cmds yes \
>    data_chan
> 
> preprocessor ftp_telnet_protocol: ftp client default \
>    max_resp_len 256 \
>    bounce yes \
>    telnet_cmds yes
> 
> # smtp: SMTP normalizer, protocol enforcement and buffer overflow #
> ------------------------------------------------------------------------
> ---
> # This preprocessor normalizes SMTP commands by removing extraneous
> spaces. # It looks for overly long command lines, response lines, and
> data header lines. # It can alert on invalid commands, or specific valid
> commands.  It can optionally # ignore mail data, and can ignore TLS
> encrypted data. # # SMTP has numerous options available, please read
> README.SMTP for help # configuring options.
> 
> #####
> # Per Step #2, set the following to load the smtp preprocessor #
> dynamicpreprocessor <full path to libsf_smtp_preproc.so> # or use
> commandline option # --dynamic-preprocessor-lib <full path to
> libsf_smtp_preproc.so>
> 
> preprocessor smtp: \
>   ports { 25 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
> 
> # sfPortscan
> # ----------
> # Portscan detection module.  Detects various types of portscans and #
> portsweeps.  For more information on detection philosophy, alert types,
> # and detailed portscan information, please refer to the
> README.sfportscan. # # -configuration options-
> #     proto { tcp udp icmp ip all }
> #       The arguments to the proto option are the types of protocol
> scans that
> #       the user wants to detect.  Arguments should be separated by
> spaces and
> #       not commas.
> #     scan_type { portscan portsweep decoy_portscan distributed_portscan
> all }
> #       The arguments to the scan_type option are the scan types that
> the
> #       user wants to detect.  Arguments should be separated by spaces
> and not
> #       commas.
> #     sense_level { low|medium|high }
> #       There is only one argument to this option and it is the level of
> #       sensitivity in which to detect portscans.  The 'low' sensitivity
> #       detects scans by the common method of looking for response
> errors, such
> #       as TCP RSTs or ICMP unreachables.  This level requires the least
> #       tuning.  The 'medium' sensitivity level detects portscans and 
> #       filtered portscans (portscans that receive no response).  This
> #       sensitivity level usually requires tuning out scan events from
> NATed
> #       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
> #       lower thresholds for portscan detection and a longer time window
> than
> #       the 'medium' sensitivity level.  Requires more tuning and may be
> noisy
> #       on very active networks.  However, this sensitivity levels
> catches the
> #       most scans.
> #     memcap { positive integer }
> #       The maximum number of bytes to allocate for portscan detection.
> The
> #       higher this number the more nodes that can be tracked.
> #     logfile { filename }
> #       This option specifies the file to log portscan and detailed
> portscan
> #       values to.  If there is not a leading /, then snort logs to the
> #       configured log directory.  Refer to README.sfportscan for
> details on
> #       the logged values in the logfile.
> #     watch_ip { Snort IP List }
> #     ignore_scanners { Snort IP List }
> #     ignore_scanned { Snort IP List }
> #       These options take a snort IP list as the argument.  The
> 'watch_ip'
> #       option specifies the IP(s) to watch for portscan.  The 
> #       'ignore_scanners' option specifies the IP(s) to ignore as
> scanners.
> #       Note that these hosts are still watched as scanned hosts.  The
> #       'ignore_scanners' option is used to tune alerts from very active
> #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'
> option 
> #       specifies the IP(s) to ignore as scanned hosts.  Note that these
> hosts
> #       are still watched as scanner hosts.  The 'ignore_scanned' option
> is
> #       used to tune alerts from very active hosts such as syslog
> servers, etc.
> #     detect_ack_scans
> #       This option will include sessions picked up in midstream by the
> stream
> #       module, which is necessary to detect ACK scans.  However, this
> can lead to
> #       false alerts, especially under heavy load with dropped packets;
> which is why
> #       the option is off by default.
> #
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low }
> 
> # arpspoof
> #----------------------------------------
> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
> # unicast ARP requests, and specific ARP mapping monitoring.  To make
> use of # this preprocessor you must specify the IP and hardware address
> of hosts on # the same layer 2 segment as you.  Specify one host IP MAC
> combo per line. # Also takes a "-unicast" option to turn on unicast ARP
> request detection. 
> # Arpspoof uses Generator ID 112 and uses the following SIDS for that
> GID:
> 
> #  SID     Event description
> # -----   -------------------
> #   1       Unicast ARP request
> #   2       Etherframe ARP mismatch (src)
> #   3       Etherframe ARP mismatch (dst)
> #   4       ARP cache overwrite attack
> 
> #preprocessor arpspoof
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> 
> # ssh
> #----------------------------------------
> # EXPERIMENTAL CODE!!!
> #
> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE! # USE AT
> YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS. # YOU HAVE BEEN
> WARNED. # # The SSH preprocessor detects the following exploits:
> Gobbles, CRC 32, # Secure CRT, and the Protocol Mismatch exploit. # #
> Both Gobbles and CRC 32 attacks occur after the key exchange, and are #
> therefore encrypted.  Both attacks involve sending a large payload #
> (20kb+) to the server immediately after the authentication challenge. #
> To detect the attacks, the SSH preprocessor counts the number of bytes #
> transmitted to the server.  If those bytes exceed a pre-defined limit #
> within a pre-define number of packets, an alert is generated.  Since #
> Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH #
> version string exchange is used to distinguish the attacks. # # The
> Secure CRT and protocol mismatch exploits are observable before # the
> key exchange. # # SSH has numerous options available, please read
> README.ssh for help # configuring options.
> 
> #####
> # Per Step #2, set the following to load the ssh preprocessor
> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so> #
> #preprocessor ssh: server_ports { 22 } \
> #                  max_client_bytes 19600 \
> #                  max_encrypted_packets 20
> 
> # DCE/RPC
> #----------------------------------------
> #
> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. #
> It is primarily interested in DCE/RPC data, and only decodes SMB # to
> get at the DCE/RPC data carried by the SMB layer. # 
> # Currently, the preprocessor only handles reassembly of fragmentation #
> at both the SMB and DCE/RPC layer.  Snort rules can be evaded by # using
> both types of fragmentation; with the preprocessor enabled # the rules
> are given a buffer with a reassembled SMB or DCE/RPC # packet to
> examine. # 
> # At the SMB layer, only fragmentation using WriteAndX is currently #
> reassembled.  Other methods will be handled in future versions of # the
> preprocessor. # 
> # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
> # the SMB data, as well as checking the NetBIOS header (which is always
> # present for SMB) for the type "SMB Session". # 
> # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes are
> # checked in the packet.  Assuming that the data is a DCE/RPC header, #
> one byte is checked for DCE/RPC version (5) and another for the type #
> "DCE/RPC Request".  If both match, the preprocessor proceeds with that #
> assumption that it is looking at DCE/RPC data.  If subsequent checks #
> are nonsensical, it ends processing. # # DCERPC has numerous options
> available, please read README.dcerpc for help # configuring options.
> 
> #####
> # Per Step #2, set the following to load the dcerpc preprocessor #
> dynamicpreprocessor <full path to libsf_dcerpc_preproc.so> # or use
> commandline option # --dynamic-preprocessor-lib <full path to
> libsf_dcerpc_preproc.so>
> 
> preprocessor dcerpc: \
>     autodetect \
>     max_frag_size 3000 \
>     memcap 100000
> 
> # DNS
> #----------------------------------------
> # The dns preprocessor (currently) decodes DNS Response traffic # and
> detects a few vulnerabilities. # # DNS has a few options available,
> please read README.dns for # help configuring options.
> 
> #####
> # Per Step #2, set the following to load the dns preprocessor
> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
> 
> preprocessor dns: \
>     ports { 53 } \
>     enable_rdata_overflow
> 
> ####################################################################
> # Step #4: Configure output plugins
> #
> # Uncomment and configure the output plugins you decide to use.  General
> # configuration for output plugins is of the form: # # output
> <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts
> to syslog # ----------------------------------
> # Use one or more syslog facilities as arguments.  Win32 can also
> optionally # specify a particular hostname/port.  Under Win32, the
> default hostname is # '127.0.0.1', and the default port is 514. # #
> [Unix flavours should use this format...] # output alert_syslog:
> LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output
> alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname,
> LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH
> LOG_ALERT
> 
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: tcpdump.log
> 
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring #
> and using this plugin. # output database: log, mysql, user=snort
> password=snortuser dbname=snort host=localhost # output database: alert,
> postgresql, user=snort dbname=snort # output database: log, odbc,
> user=snort dbname=snort # output database: log, mssql, dbname=snort
> user=snort password=test # output database: log, oracle, dbname=snort
> user=snort password=test
> 
> # unified: Snort unified binary format alerting and logging
> # -------------------------------------------------------------
> # The unified output plugin provides two new formats for logging and
> generating # alerts from Snort, the "unified" format.  The unified
> format is a straight # binary format for logging data out of Snort that
> is designed to be fast and # efficient.  Used with barnyard (the new
> alert/log processor), most of the # overhead for logging and alerting to
> various slow storage mechanisms such as # databases or the network can
> now be avoided.  
> #
> # Check out the spo_unified.h file for the data formats.
> #
> # Two arguments are supported.
> #    filename - base filename to write to (current time_t is appended)
> #    limit    - maximum size of spool file in MB (default: 128)
> #
> # output alert_unified: filename snort.alert, limit 128
> # output log_unified: filename snort.log, limit 128
> 
> 
> # prelude: log to the Prelude Hybrid IDS system
> # ---------------------------------------------
> #
> # profile = Name of the Prelude profile to use (default is snort). # #
> Snort priority to IDMEF severity mappings: # high < medium < low < info
> # # These are the default mapped from classification.config:
> # info   = 4
> # low    = 3
> # medium = 2
> # high   = anything below medium
> #
> # output alert_prelude
> # output alert_prelude: profile=snort-profile-name
> 
> 
> # You can optionally define new rule types and associate one or more
> output # plugins specifically to that type. # # This example will create
> a type that will log to just tcpdump. # ruletype suspicious # {
> #   type log
> #   output log_tcpdump: suspicious.log
> # }
> #
> # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
> Server";)
> #
> # This example will create a rule type that will log to syslog and a
> mysql # database: # ruletype redalert # {
> #   type alert
> #   output alert_syslog: LOG_AUTH LOG_ALERT
> #   output database: log, mysql, user=snort dbname=snort host=localhost
> # }
> #
> # EXAMPLE RULE FOR REDALERT RULETYPE:
> # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
> #   (msg:"Someone is being LEET"; flags:A+;)
> 
> #
> # Include classification & priority settings
> # Note for Windows users:  You are advised to make this an absolute
> path, # such as:  c:\snort\etc\classification.config
> #
> 
> include classification.config
> 
> #
> # Include reference systems
> # Note for Windows users:  You are advised to make this an absolute
> path, # such as:  c:\snort\etc\reference.config #
> 
> include reference.config
> 
> ####################################################################
> # Step #5: Configure snort with config statements
> #
> # See the snort manual for a full set of configuration references # #
> config flowbits_size: 64 # # New global ignore_ports config option from
> Andy Mullican # # config ignore_ports: <tcp|udp> <list of ports
> separated by whitespace> # config ignore_ports: tcp 21 6667:6671 1356 #
> config ignore_ports: udp 1:17 53
> 
> 
> ####################################################################
> # Step #6: Customize your rule set
> #
> # Up to date snort rules are available at http://www.snort.org # # The
> snort web site has documentation about how to write your own custom
> snort # rules.
> 
> #=========================================
> # Include all relevant rulesets here 
> # 
> # The following rulesets are disabled by default:
> #
> #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
> virus,
> #   chat, multimedia, and p2p
> #            
> # These rules are either site policy specific or require tuning in order
> to not # generate false positive alerts in most enviornments. # 
> # Please read the specific include file for more information and #
> README.alert_order for how rule ordering affects how alerts are
> triggered. #=========================================
> 
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> 
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> 
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> 
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> 
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> # include $RULE_PATH/web-attacks.rules
> # include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/virus.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> # include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/experimental.rules
> 
> # Include any thresholding or suppression commands. See threshold.conf
> in the # <snort src>/etc directory for details. Commands don't
> necessarily need to be # contained in this conf, but a separate conf
> makes it easier to maintain them. 
> # Note for Windows users:  You are advised to make this an absolute
> path, # such as:  c:\snort\etc\threshold.conf # Uncomment if needed. #
> include threshold.conf
> 
> 
> ------------------------------------------------------------------------
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your opinions on IT & business topics through brief surveys - and earn
> cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
> V
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list