[Snort-users] snort and squid

Helmut Schneider jumper99 at ...348...
Fri Jan 18 14:17:40 EST 2008


From: "Seth" <sethsec at ...11827...>

> Did you also add 3128 to the http_inspect preprocessor?  ie:
> http_inspect_server: server default profile all ports {80 3128}

Yes. Here are the alerts that are logged:

(ftp_telnet) FTP command
(ftp_telnet) FTP traffic
(ftp_telnet) Invalid FTP
(http_inspect) NON-RFC DEFINED
(http_inspect) OVERSIZE CHUNK
(http_inspect) OVERSIZE REQUEST-URI
(http_inspect) U ENCODING
ICMP Destination Unreachable
ICMP PING *NIX
ICMP PING BSDtype
ICMP PING Windows
ICMP PING [**]
SHELLCODE x86 NOOP
SHELLCODE x86 inc

Thats all. No BPF filter, no threshold.

[root at ...14283... ~]# cat /usr/local/etc/snort/snort.conf | grep ^include
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/voip.rules
[root at ...14283... ~]# 




More information about the Snort-users mailing list