[Snort-users] catching some alerts, but NOT consistent

Casiano, Jason (Sys Admin) casiano at ...5250...
Sun Sep 16 00:35:16 EDT 2007


broadcom BCM5708C

Winsrv2k3 wsp2

Winpcap 401

Snort exec= -cc:\snort\etc\snort.conf -ld:\logs\snort -Kascii -i2

 

im using a terminal service request alert to verify snort functionality
on my servers, however ive got a couple using the broadcom BCM5708C
netextreme 2 adapters that dont seem to report on a term server request,
however icmp request report just dandy. 

any ideas? i truly would like to iron this out, ive been pulling my hair
our for 3 weeks now.

 

Conf:

#--------------------------------------------------

#   http://www.snort.org     Snort current Ruleset

#     Contact: snort-sigs at lists.sourceforge.net

#--------------------------------------------------

# $Id: snort.conf,v 1.183 2007/04/30 17:48:03 ssturges Exp $

#

###################################################

# This file contains a sample snort configuration. 

# You can take the following steps to create your own custom
configuration:

#

#  1) Set the variables for your network

#  2) Configure dynamic loaded libraries

#  3) Configure preprocessors

#  4) Configure output plugins

#  5) Add any runtime config directives

#  6) Customize your rule set

#

###################################################

# Step #1: Set the network variables:

#

# You must change the following variables to reflect your local network.
The

# variable is currently setup for an RFC 1918 address space.

#

# You can specify it explicitly as: 

#

# var HOME_NET 10.1.1.0/24

#

# or use global variable $<interfacename>_ADDRESS which will be always

# initialized to IP address and netmask of the network interface which
you run

# snort at.  Under Windows, this must be specified as

# $(<interfacename>_ADDRESS), such as:

# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)

#

# var HOME_NET $eth0_ADDRESS

#

# You can specify lists of IP addresses for HOME_NET

# by separating the IPs with commas like this:

#

# var HOME_NET [10.1.1.0/24,192.168.1.0/24]

#

# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!

#

# or you can specify the variable to be any IP address

# like this:

 

var HOME_NET 192.168.0.1/32

 

# Set up the external network addresses as well.  A good start may be
"any"

var EXTERNAL_NET !$HOME_NET

 

# Configure your server lists.  This allows snort to only look for
attacks to

# systems that have a service up.  Why look for HTTP attacks if you are
not

# running a web server?  This allows quick filtering based on IP
addresses

# These configurations MUST follow the same configuration scheme as
defined

# above for $HOME_NET.  

 

# List of DNS servers on your network 

var DNS_SERVERS $HOME_NET 

#$HOME_NET

 

# List of SMTP servers on your network

var SMTP_SERVERS $HOME_NET

 

# List of web servers on your network

var HTTP_SERVERS $HOME_NET

 

# List of sql servers on your network 

var SQL_SERVERS $HOME_NET

 

# List of telnet servers on your network

var TELNET_SERVERS $HOME_NET

 

# List of snmp servers on your network

var SNMP_SERVERS $HOME_NET

 

# Configure your service ports.  This allows snort to look for attacks
destined

# to a specific application only on the ports that application runs on.
For

# example, if you run a web server on port 8081, set your HTTP_PORTS
variable

# like this:

#

# var HTTP_PORTS 8081

#

# Port lists must either be continuous [eg 80:8080], or a single port
[eg 80].

# We will adding support for a real list of ports in the future.

 

# Ports you run web servers on

#

# Please note:  [80,8080] does not work.

# If you wish to define multiple HTTP ports, use the following
convention

# when customizing your rule set (as part of Step #6 below).  This
should

# not be done here, as the rules files may depend on the classifications

# and/or references, which are included below.

# 

## var HTTP_PORTS 80 

## include somefile.rules 

## var HTTP_PORTS 8080

## include somefile.rules 

var HTTP_PORTS 80

 

# Ports you want to look for SHELLCODE on.

var SHELLCODE_PORTS !80

 

# Ports you do oracle attacks on

var ORACLE_PORTS 1521

 

# other variables

# 

# AIM servers.  AOL has a habit of adding new AIM servers, so instead of

# modifying the signatures when they do, we add them to this list of
servers.

var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/2
4,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.15
3.0/24,205.188.179.0/24,205.188.248.0/24]

 

# Path to your rules files (this can be a relative path)

# Note for Windows users:  You are advised to make this an absolute
path,

# such as:  c:\snort\rules

var RULE_PATH c:\snort\rules

 

# Configure the snort decoder

# ============================

#

# Snort's decoder will alert on lots of things such as header

# truncation or options of unusual length or infrequently used tcp
options

#

#

# Stop generic decode events:

#

# config disable_decode_alerts

#

# Stop Alerts on experimental TCP options

#

# config disable_tcpopt_experimental_alerts

#

# Stop Alerts on obsolete TCP options

#

# config disable_tcpopt_obsolete_alerts

#

# Stop Alerts on T/TCP alerts

#

# In snort 2.0.1 and above, this only alerts when a TCP option is
detected

# that shows T/TCP being actively used on the network.  If this is
normal

# behavior for your network, disable the next option.

#

# config disable_tcpopt_ttcp_alerts

#

# Stop Alerts on all other TCPOption type events:

#

# config disable_tcpopt_alerts

#

# Stop Alerts on invalid ip options

#

# config disable_ipopt_alerts

#

# Alert if value in length field (IP, TCP, UDP) is greater than the

# actual length of the captured portion of the packet that the length

# is supposed to represent:

#

# config enable_decode_oversized_alerts

#

# Same as above, but drop packet if in Inline mode -

# enable_decode_oversized_alerts must be enabled for this to work:

#

# config enable_decode_oversized_drops

#

 

# Configure the detection engine

# ===============================

#

# Use a different pattern matcher in case you have a machine with very
limited

# resources:

#

 config detection: search-method lowmem

 

# Configure Inline Resets

# ========================

# 

# If running an iptables firewall with snort in InlineMode() we can now

# perform resets via a physical device. We grab the indev from iptables

# and use this for the interface on which to send resets. This config

# option takes an argument for the src mac address you want to use in
the

# reset packet.  This way the bridge can remain stealthy. If the src mac

# option is not set we use the mac address of the indev device. If we

# don't set this option we will default to sending resets via raw
socket,

# which needs an ipaddress to be assigned to the int.

#

# config layer2resets: 00:06:76:DD:5F:E3

 

###################################################

# Step #2: Configure dynamic loaded libraries

#

# If snort was configured to use dynamically loaded libraries,

# those libraries can be loaded here.

#

# Each of the following configuration options can be done via

# the command line as well.

#

# Load all dynamic preprocessors from the install path

# (same as command line option --dynamic-preprocessor-lib-dir)

#

dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor

#

# Load a specific dynamic preprocessor library from the install path

# (same as command line option --dynamic-preprocessor-lib)

#

# dynamicpreprocessor file
C:\Snort\lib\snort_dynamicpreprocessor/libdynamicexample.so

#

# Load a dynamic engine from the install path

# (same as command line option --dynamic-engine-lib)

#

dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

#

# Load all dynamic rules libraries from the install path

# (same as command line option --dynamic-detection-lib-dir)

#

# dynamicdetection directory /usr/local/lib/snort_dynamicrule/

#

# Load a specific dynamic rule library from the install path

# (same as command line option --dynamic-detection-lib)

#

# dynamicdetection file
/usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so

#

 

###################################################

# Step #3: Configure preprocessors

#

# General configuration for preprocessors is of 

# the form

# preprocessor <name_of_processor>: <configuration_options>

 

# Configure Flow tracking module

# -------------------------------

#

# The Flow tracking module is meant to start unifying the state keeping

# mechanisms of snort into a single place. Right now, only a portscan
detector

# is implemented but in the long term,  many of the stateful subsystems
of

# snort will be migrated over to becoming flow plugins. This must be
enabled

# for flow-portscan to work correctly.

#

# See README.flow for additional information

#

preprocessor flow: stats_interval 0 hash 2

 

# frag3: Target-based IP defragmentation 

# --------------------------------------

#

# Frag3 is a brand new IP defragmentation preprocessor that is capable
of

# performing "target-based" processing of IP fragments.  Check out the

# README.frag3 file in the doc directory for more background and
configuration

# information.

# 

# Frag3 configuration is a two step process, a global initialization
phase 

# followed by the definition of a set of defragmentation engines.  

# 

# Global configuration defines the number of fragmented packets that
Snort can

# track at the same time and gives you options regarding the memory cap
for the

# subsystem or, optionally, allows you to preallocate all the memory for
the 

# entire frag3 system.

#

# frag3_global options:

#   max_frags: Maximum number of frag trackers that may be active at
once.  

#              Default value is 8192.

#   memcap: Maximum amount of memory that frag3 may access at any given
time.

#           Default value is 4MB.

#   prealloc_frags: Maximum number of individual fragments that may be
processed

#                   at once.  This is instead of the memcap system, uses
static 

#                   allocation to increase performance.  No default
value.  Each

#                   preallocated fragment eats ~1550 bytes.

#

# Target-based behavior is attached to an engine as a "policy" for
handling 

# overlaps and retransmissions as enumerated in the Paxson paper.  There
are

# currently five policy types available: "BSD", "BSD-right", "First",
"Linux" 

# and "Last".  Engines can be bound to standard Snort CIDR blocks or

# IP lists.

#

# frag3_engine options:

#   timeout: Amount of time a fragmented packet may be active before
expiring.

#            Default value is 60 seconds.

#   ttl_limit: Limit of delta allowable for TTLs of packets in the
fragments. 

#              Based on the initial received fragment TTL.

#   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs
below this

#            value will be discarded.  Default value is 0.

#   detect_anomalies: Activates frag3's anomaly detection mechanisms.

#   policy: Target-based policy to assign to this engine.  Default is
BSD.

#   bind_to: IP address set to bind this engine to.  Default is all
hosts.

#

# Frag3 configuration example:

#preprocessor frag3_global: max_frags 65536 prealloc_frags 262144

#preprocessor frag3_engine: policy linux \

#                           bind_to [10.1.1.12/32,10.1.1.13/32] \

#                           detect_anomalies

#preprocessor frag3_engine: policy first \

#                           bind_to 10.2.1.0/24 \

#                           detect_anomalies

#preprocessor frag3_engine: policy last \

#                           bind_to 10.3.1.0/24

#preprocessor frag3_engine: policy bsd

 

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies

 

 

# stream4: stateful inspection/stream reassembly for Snort

#----------------------------------------------------------------------

# Use in concert with the -z [all|est] command line switch to defeat
stick/snot

# against TCP rules.  Also performs full TCP stream reassembly, stateful

# inspection of TCP streams, etc.  Can statefully detect various
portscan

# types, fingerprinting, ECN, etc.

 

# stateful inspection directive

# no arguments loads the defaults (timeout 30, memcap 8388608)

# options (options are comma delimited):

#   detect_scans - stream4 will detect stealth portscans and generate
alerts

#                  when it sees them when this option is set

#   detect_state_problems - detect TCP state problems, this tends to be
very

#                           noisy because there are a lot of crappy ip
stack

#                           implementations out there

#

#   disable_evasion_alerts - turn off the possibly noisy mitigation of

#                            overlapping sequences.

#

#   ttl_limit [number]     - differential of the initial ttl on a
session versus

#                             the normal that someone may be playing
games.

#                             Routing flap may cause lots of false
positives.

# 

#   keepstats [machine|binary] - keep session statistics, add "machine"
to 

#                         get them in a flat format for machine reading,
add

#                         "binary" to get them in a unified binary
output 

#                         format

#   noinspect - turn off stateful inspection only

#   timeout [number] - set the session timeout counter to [number]
seconds,

#                      default is 30 seconds

#   max_sessions [number] - limit the number of sessions stream4 keeps

#                         track of

#   memcap [number] - limit stream4 memory usage to [number] bytes (does

#                     not include session tracking, which is set by the

#                     max_sessions option)

#   log_flushed_streams - if an event is detected on a stream this
option will

#                         cause all packets that are stored in the
stream4

#                         packet buffers to be flushed to disk.  This
only 

#                         works when logging in pcap mode!

#   server_inspect_limit [bytes] - Byte limit on server side inspection.

#   enable_udp_sessions - turn on tracking of "sessions" over UDP.
Requires

#                         configure --enable-stream4udp.  UDP sessions
are

#                         only created when there is a rule for the
sender or

#                         responder that has a flow or flowbits keyword.

#   max_udp_sessions [number] - limit the number of simultaneous UDP
sessions

#                               to track

#   udp_ignore_any - Do not inspect UDP packets unless there is a port
specific

#                    rule for a given port.  This is a performance
improvement

#                    and turns off inspection for udp xxx any -> xxx any
rules

#   cache_clean_sessions [number] - Cleanup the session cache by number
sessions

#                                   at a time.  The larger the value,
the

#                                   more sessions are purged from the
cache when

#                                   the session limit or memcap is
reached.

#                                   Defaults to 5.

#   

#   

#

# Stream4 uses Generator ID 111 and uses the following SIDS 

# for that GID:

#  SID     Event description

# -----   -------------------

#   1       Stealth activity

#   2       Evasive RST packet

#   3       Evasive TCP packet retransmission

#   4       TCP Window violation

#   5       Data on SYN packet

#   6       Stealth scan: full XMAS

#   7       Stealth scan: SYN-ACK-PSH-URG

#   8       Stealth scan: FIN scan

#   9       Stealth scan: NULL scan

#   10      Stealth scan: NMAP XMAS scan

#   11      Stealth scan: Vecna scan

#   12      Stealth scan: NMAP fingerprint scan stateful detect

#   13      Stealth scan: SYN-FIN scan

#   14      TCP forward overlap

 

#preprocessor stream4

#: disable_evasion_alerts

 

# tcp stream reassembly directive

# no arguments loads the default configuration 

#   Only reassemble the client,

#   Only reassemble the default list of ports (See below),  

#   Give alerts for "bad" streams

#

# Available options (comma delimited):

#   clientonly - reassemble traffic for the client side of a connection
only

#   serveronly - reassemble traffic for the server side of a connection
only

#   both - reassemble both sides of a session

#   noalerts - turn off alerts from the stream reassembly stage of
stream4

#   ports [list] - use the space separated list of ports in [list],
"all" 

#                  will turn on reassembly for all ports, "default" will
turn

#                  on reassembly for ports 21, 23, 25, 42, 53, 80, 110,

#                  111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521,

#                  and 3306

#   favor_old - favor an old segment (based on sequence number) over a
new one.

#               This is the default.

#   favor_new - favor an new segment (based on sequence number) over an
old one.

#   overlap_limit [number] - limit on overlaping segments for a session.

#   flush_on_alert - flushes stream when an alert is generated for a
session.

#   flush_behavior [mode] -

#           default      - use old static flushpoints (default)

#           large_window - use new larger static flushpoints

#           random       - use random flushpoints defined by flush_base,


#                          flush_seed and flush_range

#   flush_base [number] - lowest allowed random flushpoint (512 by
default)

#   flush_range [number] - number is the space within which random
flushpoints

#                          are generated (default 1213)

#   flush_seed [number] - seed for the random number generator, defaults
to 

#                         Snort PID + time

#

# Using the default random flushpoints, the smallest flushpoint is 512,

# and the largest is 1725 bytes.

#preprocessor stream4_reassemble

 

# stream5: Target Based stateful inspection/stream reassembly for Snort

# ---------------------------------------------------------------------

# Stream5 is a target-based stream engine for Snort.  Its functionality

# replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5

# cannot be used simultaneously.  Comment out the stream4 configurations

# above to use Stream5.

# 

# See README.stream5 for details on the configuration options.

#

# Example config (that emulates Stream4 with UDP support compiled in)

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \

                             track_udp no

preprocessor stream5_tcp: policy first, use_static_footprint_sizes

# preprocessor stream5_udp: ignore_any_rules

 

 

# Performance Statistics

# ----------------------

# Documentation for this is provided in the Snort Manual.  You should
read it.

# It is included in the release distribution as doc/snort_manual.pdf

# 

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
10000

 

# http_inspect: normalize and detect HTTP traffic and protocol anomalies

#

# lots of options available here. See doc/README.http_inspect.

# unicode.map should be wherever your snort.conf lives, or given

# a full path to where snort can find it.

preprocessor http_inspect: global \

    iis_unicode_map unicode.map 1252 

 

preprocessor http_inspect_server: server default \

    profile all ports { 80 8080 8180 } oversize_dir_length 500

 

#

#  Example unique server configuration

#

#preprocessor http_inspect_server: server 1.1.1.1 \

#    ports { 80 3128 8080 } \

#    flow_depth 0 \

#    ascii no \

#    double_decode yes \

#    non_rfc_char { 0x00 } \

#    chunk_length 500000 \

#    non_strict \

#    oversize_dir_length 300 \

#    no_alerts

 

 

# rpc_decode: normalize RPC traffic

# ---------------------------------

# RPC may be sent in alternate encodings besides the usual 4-byte
encoding

# that is used by default. This plugin takes the port numbers that RPC

# services are running on as arguments - it is assumed that the given
ports

# are actually running this type of service. If not, change the ports or
turn

# it off.

# The RPC decode preprocessor uses generator ID 106

#

# arguments: space separated list

# alert_fragments - alert on any rpc fragmented TCP data

# no_alert_multiple_requests - don't alert when >1 rpc query is in a
packet

# no_alert_large_fragments - don't alert when the fragmented

#                            sizes exceed the current packet size

# no_alert_incomplete - don't alert when a single segment

#                       exceeds the current packet size

 

preprocessor rpc_decode: 111 32771

 

# bo: Back Orifice detector

# -------------------------

# Detects Back Orifice traffic on the network.

#

# arguments:  

#   syntax:

#     preprocessor bo: noalert { client | server | general |
snort_attack } \

#                      drop    { client | server | general |
snort_attack }

#   example:

#     preprocessor bo: noalert { general server } drop { snort_attack }

 

# 

# The Back Orifice detector uses Generator ID 105 and uses the 

# following SIDS for that GID:

#  SID     Event description

# -----   -------------------

#   1       Back Orifice traffic detected

#   2       Back Orifice Client Traffic Detected

#   3       Back Orifice Server Traffic Detected

#   4       Back Orifice Snort Buffer Attack

 

preprocessor bo

 

# telnet_decode: Telnet negotiation string normalizer

# ---------------------------------------------------

# This preprocessor "normalizes" telnet negotiation strings from telnet
and ftp

# traffic.  It works in much the same way as the http_decode
preprocessor,

# searching for traffic that breaks up the normal data stream of a
protocol and

# replacing it with a normalized representation of that traffic so that
the

# "content" pattern matching keyword can work without requiring
modifications.

# This preprocessor requires no arguments.

#

# DEPRECATED in favor of ftp_telnet dynamic preprocessor

#preprocessor telnet_decode

#

# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
overflow

#
------------------------------------------------------------------------
---

# This preprocessor normalizes telnet negotiation strings from telnet
and

# ftp traffic.  It looks for traffic that breaks the normal data stream

# of the protocol, replacing it with a normalized representation of that

# traffic so that the "content" pattern matching keyword can work
without

# requiring modifications.

#

# It also performs protocol correctness checks for the FTP command
channel,

# and identifies open FTP data transfers.

#

# FTPTelnet has numerous options available, please read

# README.ftptelnet for help configuring the options for the global

# telnet, ftp server, and ftp client sections for the protocol.

 

#####

# Per Step #2, set the following to load the ftptelnet preprocessor

# dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>

# or use commandline option

# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>

 

preprocessor ftp_telnet: global \

   encrypted_traffic yes \

   inspection_type stateful

 

preprocessor ftp_telnet_protocol: telnet \

   normalize \

   ayt_attack_thresh 200

 

# This is consistent with the FTP rules as of 18 Sept 2004.

# CWD can have param length of 200

# MODE has an additional mode of Z (compressed)

# Check for string formats in USER & PASS commands

# Check nDTM commands that set modification time on the file.

preprocessor ftp_telnet_protocol: ftp server default \

   def_max_param_len 100 \

   alt_max_param_len 200 { CWD } \

   cmd_validity MODE < char ASBCZ > \

   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \

   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \

   telnet_cmds yes \

   data_chan

 

preprocessor ftp_telnet_protocol: ftp client default \

   max_resp_len 256 \

   bounce yes \

   telnet_cmds yes

 

# smtp: SMTP normalizer, protocol enforcement and buffer overflow

#
------------------------------------------------------------------------
---

# This preprocessor normalizes SMTP commands by removing extraneous
spaces.

# It looks for overly long command lines, response lines, and data
header lines.

# It can alert on invalid commands, or specific valid commands.  It can
optionally

# ignore mail data, and can ignore TLS encrypted data.

#

# SMTP has numerous options available, please read README.SMTP for help

# configuring options.

 

#####

# Per Step #2, set the following to load the smtp preprocessor

# dynamicpreprocessor <full path to libsf_smtp_preproc.so>

# or use commandline option

# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>

 

preprocessor smtp: \

  ports { 25 } \

  inspection_type stateful \

  normalize cmds \

  normalize_cmds { EXPN VRFY RCPT } \

  alt_max_command_line_len 260 { MAIL } \

  alt_max_command_line_len 300 { RCPT } \

  alt_max_command_line_len 500 { HELP HELO ETRN } \

  alt_max_command_line_len 255 { EXPN VRFY }

 

# sfPortscan

# ----------

# Portscan detection module.  Detects various types of portscans and

# portsweeps.  For more information on detection philosophy, alert
types,

# and detailed portscan information, please refer to the
README.sfportscan.

#

# -configuration options-

#     proto { tcp udp icmp ip all }

#       The arguments to the proto option are the types of protocol
scans that

#       the user wants to detect.  Arguments should be separated by
spaces and

#       not commas.

#     scan_type { portscan portsweep decoy_portscan distributed_portscan
all }

#       The arguments to the scan_type option are the scan types that
the

#       user wants to detect.  Arguments should be separated by spaces
and not

#       commas.

#     sense_level { low|medium|high }

#       There is only one argument to this option and it is the level of

#       sensitivity in which to detect portscans.  The 'low' sensitivity

#       detects scans by the common method of looking for response
errors, such

#       as TCP RSTs or ICMP unreachables.  This level requires the least

#       tuning.  The 'medium' sensitivity level detects portscans and 

#       filtered portscans (portscans that receive no response).  This

#       sensitivity level usually requires tuning out scan events from
NATed

#       IPs, DNS cache servers, etc.  The 'high' sensitivity level has

#       lower thresholds for portscan detection and a longer time window
than

#       the 'medium' sensitivity level.  Requires more tuning and may be
noisy

#       on very active networks.  However, this sensitivity levels
catches the

#       most scans.

#     memcap { positive integer }

#       The maximum number of bytes to allocate for portscan detection.
The

#       higher this number the more nodes that can be tracked.

#     logfile { filename }

#       This option specifies the file to log portscan and detailed
portscan

#       values to.  If there is not a leading /, then snort logs to the

#       configured log directory.  Refer to README.sfportscan for
details on

#       the logged values in the logfile.

#     watch_ip { Snort IP List }

#     ignore_scanners { Snort IP List }

#     ignore_scanned { Snort IP List }

#       These options take a snort IP list as the argument.  The
'watch_ip'

#       option specifies the IP(s) to watch for portscan.  The 

#       'ignore_scanners' option specifies the IP(s) to ignore as
scanners.

#       Note that these hosts are still watched as scanned hosts.  The

#       'ignore_scanners' option is used to tune alerts from very active

#       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'
option 

#       specifies the IP(s) to ignore as scanned hosts.  Note that these
hosts

#       are still watched as scanner hosts.  The 'ignore_scanned' option
is

#       used to tune alerts from very active hosts such as syslog
servers, etc.

#     detect_ack_scans

#       This option will include sessions picked up in midstream by the
stream

#       module, which is necessary to detect ACK scans.  However, this
can lead to

#       false alerts, especially under heavy load with dropped packets;
which is why

#       the option is off by default.

#

preprocessor sfportscan: proto  { all } \

                         memcap { 10000000 } \

                         sense_level { low } \

                                             logfile { portscan.log }

 

# arpspoof

#----------------------------------------

# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,

# unicast ARP requests, and specific ARP mapping monitoring.  To make
use of

# this preprocessor you must specify the IP and hardware address of
hosts on

# the same layer 2 segment as you.  Specify one host IP MAC combo per
line.

# Also takes a "-unicast" option to turn on unicast ARP request
detection. 

# Arpspoof uses Generator ID 112 and uses the following SIDS for that
GID:

 

#  SID     Event description

# -----   -------------------

#   1       Unicast ARP request

#   2       Etherframe ARP mismatch (src)

#   3       Etherframe ARP mismatch (dst)

#   4       ARP cache overwrite attack

 

#preprocessor arpspoof

#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

 

# ssh

#----------------------------------------

# EXPERIMENTAL CODE!!!

#

# THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!

# USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS.

# YOU HAVE BEEN WARNED.

#

# The SSH preprocessor detects the following exploits: Gobbles, CRC 32,

# Secure CRT, and the Protocol Mismatch exploit.

#

# Both Gobbles and CRC 32 attacks occur after the key exchange, and are

# therefore encrypted.  Both attacks involve sending a large payload

# (20kb+) to the server immediately after the authentication challenge.

# To detect the attacks, the SSH preprocessor counts the number of bytes

# transmitted to the server.  If those bytes exceed a pre-defined limit

# within a pre-define number of packets, an alert is generated.  Since

# Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH

# version string exchange is used to distinguish the attacks.

#

# The Secure CRT and protocol mismatch exploits are observable before

# the key exchange.

#

# SSH has numerous options available, please read README.ssh for help

# configuring options.

 

#####

# Per Step #2, set the following to load the ssh preprocessor

# dynamicpreprocessor <full path to libsf_ssh_preproc.so>

# or use commandline option

# --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>

#

#preprocessor ssh: server_ports { 22 } \

#                  max_client_bytes 19600 \

#                  max_encrypted_packets 20

 

# DCE/RPC

#----------------------------------------

#

# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.

# It is primarily interested in DCE/RPC data, and only decodes SMB

# to get at the DCE/RPC data carried by the SMB layer.

# 

# Currently, the preprocessor only handles reassembly of fragmentation

# at both the SMB and DCE/RPC layer.  Snort rules can be evaded by

# using both types of fragmentation; with the preprocessor enabled

# the rules are given a buffer with a reassembled SMB or DCE/RPC

# packet to examine.

# 

# At the SMB layer, only fragmentation using WriteAndX is currently

# reassembled.  Other methods will be handled in future versions of

# the preprocessor.

# 

# Autodetection of SMB is done by looking for "\xFFSMB" at the start of

# the SMB data, as well as checking the NetBIOS header (which is always

# present for SMB) for the type "SMB Session".

# 

# Autodetection of DCE/RPC is not as reliable.  Currently, two bytes are

# checked in the packet.  Assuming that the data is a DCE/RPC header,

# one byte is checked for DCE/RPC version (5) and another for the type

# "DCE/RPC Request".  If both match, the preprocessor proceeds with that

# assumption that it is looking at DCE/RPC data.  If subsequent checks

# are nonsensical, it ends processing.

#

# DCERPC has numerous options available, please read README.dcerpc for
help

# configuring options.

 

#####

# Per Step #2, set the following to load the dcerpc preprocessor

# dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>

# or use commandline option

# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>

 

preprocessor dcerpc: \

    autodetect \

    max_frag_size 3000 \

    memcap 100000

 

# DNS

#----------------------------------------

# The dns preprocessor (currently) decodes DNS Response traffic

# and detects a few vulnerabilities.

#

# DNS has a few options available, please read README.dns for

# help configuring options.

 

#####

# Per Step #2, set the following to load the dns preprocessor

# dynamicpreprocessor <full path to libsf_dns_preproc.so>

# or use commandline option

# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>

 

preprocessor dns: \

    ports { 53 } \

    enable_rdata_overflow

 

####################################################################

# Step #4: Configure output plugins

#

# Uncomment and configure the output plugins you decide to use.  General

# configuration for output plugins is of the form:

#

# output <name_of_plugin>: <configuration_options>

#

# alert_syslog: log alerts to syslog

# ----------------------------------

# Use one or more syslog facilities as arguments.  Win32 can also
optionally

# specify a particular hostname/port.  Under Win32, the default hostname
is

# '127.0.0.1', and the default port is 514.

#

# [Unix flavours should use this format...]

# output alert_syslog: LOG_AUTH LOG_ALERT

#

# [Win32 can use any of these formats...]

# output alert_syslog: LOG_AUTH LOG_ALERT

 output alert_syslog: host=192.168.0.1, LOG_AUTH LOG_ALERT

# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

 

# log_tcpdump: log packets in binary tcpdump format

# -------------------------------------------------

# The only argument is the output file name.

#

# output log_tcpdump: tcpdump.log

output alert_fast: alert.ids

# database: log to a variety of databases

# ---------------------------------------

# See the README.database file for more information about configuring

# and using this plugin.

#

# output database: log, mysql, user=root password=test dbname=db
host=localhost

# output database: alert, postgresql, user=snort dbname=snort

# output database: log, odbc, user=snort dbname=snort

# output database: log, mssql, dbname=snort user=snort password=test

# output database: log, oracle, dbname=snort user=snort password=test

 

# unified: Snort unified binary format alerting and logging

# -------------------------------------------------------------

# The unified output plugin provides two new formats for logging and
generating

# alerts from Snort, the "unified" format.  The unified format is a
straight

# binary format for logging data out of Snort that is designed to be
fast and

# efficient.  Used with barnyard (the new alert/log processor), most of
the

# overhead for logging and alerting to various slow storage mechanisms
such as

# databases or the network can now be avoided.  

#

# Check out the spo_unified.h file for the data formats.

#

# Two arguments are supported.

#    filename - base filename to write to (current time_t is appended)

#    limit    - maximum size of spool file in MB (default: 128)

#

# output alert_unified: filename snort.alert, limit 128

# output log_unified: filename snort.log, limit 128

 

 

# prelude: log to the Prelude Hybrid IDS system

# ---------------------------------------------

#

# profile = Name of the Prelude profile to use (default is snort).

#

# Snort priority to IDMEF severity mappings:

# high < medium < low < info

#

# These are the default mapped from classification.config:

# info   = 4

# low    = 3

# medium = 2

# high   = anything below medium

#

# output alert_prelude

# output alert_prelude: profile=snort-profile-name

 

 

# You can optionally define new rule types and associate one or more
output

# plugins specifically to that type.

#

# This example will create a type that will log to just tcpdump.

# ruletype suspicious

# {

#   type log

#   output log_tcpdump: suspicious.log

# }

#

# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:

# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)

#

# This example will create a rule type that will log to syslog and a
mysql

# database:

# ruletype redalert

# {

#   type alert

#   output alert_syslog: LOG_AUTH LOG_ALERT

#   output database: log, mysql, user=snort dbname=snort host=localhost

# }

#

# EXAMPLE RULE FOR REDALERT RULETYPE:

# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \

#   (msg:"Someone is being LEET"; flags:A+;)

 

#

# Include classification & priority settings

# Note for Windows users:  You are advised to make this an absolute
path,

# such as:  c:\snort\etc\classification.config

#

 

include c:\snort\etc\classification.config

 

#

# Include reference systems

# Note for Windows users:  You are advised to make this an absolute
path,

# such as:  c:\snort\etc\reference.config

#

 

include c:\snort\etc\reference.config

 

####################################################################

# Step #5: Configure snort with config statements

#

# See the snort manual for a full set of configuration references

#

# config flowbits_size: 64

#

# New global ignore_ports config option from Andy Mullican

#

# config ignore_ports: <tcp|udp> <list of ports separated by whitespace>

# config ignore_ports: tcp 21 6667:6671 1356

# config ignore_ports: udp 1:17 53

 

 

####################################################################

# Step #6: Customize your rule set

#

# Up to date snort rules are available at http://www.snort.org

#

# The snort web site has documentation about how to write your own
custom snort

# rules.

 

#=========================================

# Include all relevant rulesets here 

# 

# The following rulesets are disabled by default:

#

#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
virus,

#   chat, multimedia, and p2p

#            

# These rules are either site policy specific or require tuning in order
to not

# generate false positive alerts in most enviornments.

# 

# Please read the specific include file for more information and

# README.alert_order for how rule ordering affects how alerts are
triggered.

#=========================================

 

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

 

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

 

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

 

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

 

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

 include $RULE_PATH/web-attacks.rules

# include $RULE_PATH/backdoor.rules

# include $RULE_PATH/shellcode.rules

 include $RULE_PATH/policy.rules

 include $RULE_PATH/porn.rules

 include $RULE_PATH/info.rules

 include $RULE_PATH/icmp-info.rules

 include $RULE_PATH/virus.rules

 include $RULE_PATH/chat.rules

 include $RULE_PATH/multimedia.rules

 include $RULE_PATH/p2p.rules

 include $RULE_PATH/spyware-put.rules

 include $RULE_PATH/specific-threats.rules

include $RULE_PATH/experimental.rules

 

# Include any thresholding or suppression commands. See threshold.conf
in the

# <snort src>/etc directory for details. Commands don't necessarily need
to be

# contained in this conf, but a separate conf makes it easier to
maintain them. 

# Note for Windows users:  You are advised to make this an absolute
path,

# such as:  c:\snort\etc\threshold.conf

# Uncomment if needed.

 include c:\snort\etc\threshold.conf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070916/684e1680/attachment.html>


More information about the Snort-users mailing list