[Snort-users] 2.8.4 and ssh preprocessor

Matt Watchinski mwatchinski at ...1935...
Fri Apr 10 12:45:35 EDT 2009


Known issue.  The SSH pre-processor is still experimental.

Cheers,
-matt

On Fri, Apr 10, 2009 at 1:13 AM, Nerijus Krukauskas
<nkrukauskas at ...11827...> wrote:
> Hi,
>
> The new 2.8.4 snort. If I enable the experimental ssh preprocessor,
> then snort never starts. The output is stuck right after the message
> about ssh preprocessor config used. CPU goes at 100% utilisation. The
> snort process then can only be killed with KILL signal. If the ssh
> preprocessor is commented out, then snort start and runs as it should.
>
> Anyone else with this kind of problem?
>
>
>
> Cmd line used to start snort:
> /usr/local/bin/snort -K none -o -e -c <config provided below> -X -d -y
> -i ${IFACE} ${BPF}
>
>
> =====Config used=====
>
> var HOME_NET [<a couple of networks>]
>
> var EXTERNAL_NET !$HOME_NET
>
> var DNS_SERVERS [<a few DNS servers>]
>
> var SMTP_SERVERS [<smtp servers>]
>
> var HTTP_SERVERS $HOME_NET
>
> var SQL_SERVERS [<sql server>]
>
> var TELNET_SERVERS $HOME_NET
>
> var SNMP_SERVERS $HOME_NET
>
> portvar HTTP_PORTS 80
>
> portvar SHELLCODE_PORTS !80
>
> portvar ORACLE_PORTS 1521
>
> var AIM_SERVERS [64.12.0.0/16,205.188.0.0/16]
>
> var RULE_PATH ../rules
> var PREPROC_RULE_PATH ../preproc_rules
>
> config stateful
> config enable_decode_oversized_alerts
> config event_queue: max_queue 4 log 2 order_events priority
> config threshold: memcap 20971520
>
> config detection: search-method ac-bnfa
>
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> dynamicdetection directory /usr/local/lib/snort_dynamicrules/
>
> preprocessor frag3_global: max_frags 16384, memcap 8192000, prealloc_frags 8192
> include $RULE_PATH/../conf/frag3-targets-last.conf
> include $RULE_PATH/../conf/frag3-targets-linux.conf
> include $RULE_PATH/../conf/frag3-targets-bsd.conf
> preprocessor frag3_engine: policy Windows detect_anomalies
>
> preprocessor stream5_global: flush_on_alert, \
>                                track_tcp yes, max_tcp 16384,\
>                                track_udp yes, max_udp 8192,\
>                                track_icmp yes, max_icmp 4096
>
> preprocessor stream5_tcp: bind_to <network>, policy windows, min_ttl 3,\
>                          ports client 21 23 25 42 53 80 110 111 135
> 136 137 139 143 \
>                                       443 445 513 514 992 993 995
> 1433 1521 2401 3306
>
> preprocessor stream5_tcp: policy linux, min_ttl 3,\
>                          ports client 21 23 25 42 53 80 110 111 135
> 136 137 139 143 \
>                                       443 445 513 514 992 993 995
> 1433 1521 2401 3306
>
> preprocessor stream5_udp: timeout 20
>
> preprocessor stream5_icmp: timeout 20
>
> preprocessor http_inspect: global \
>    iis_unicode_map $RULE_PATH/unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>    ports { 80 8080 } \
>    flow_depth 512 \
>    base36 no \
>    ascii no \
>    bare_byte no \
>    iis_unicode no \
>    double_decode no \
>    multi_slash no \
>    iis_backslash no \
>    directory no \
>    apache_whitespace no \
>    iis_delimiter no \
>    u_encode no \
>    utf_8 no \
>    chunk_length 64000 \
>    non_strict \
>    oversize_dir_length 512 \
>    no_alerts
>
> preprocessor ftp_telnet: global \
>   encrypted_traffic yes \
>   inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
>   normalize \
>   ayt_attack_thresh 200
>
> preprocessor ftp_telnet_protocol: ftp server default \
>   def_max_param_len 100 \
>   alt_max_param_len 20 { USER } \
>   alt_max_param_len 100 { EPSV } \
>   alt_max_param_len 200 { CWD } \
>   cmd_validity MODE < char ASBCZ > \
>   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>   telnet_cmds yes \
>   data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
>   max_resp_len 256 \
>   bounce yes \
>   telnet_cmds yes
>
> preprocessor smtp: \
>  ports { 25 587 691 } \
>  inspection_type stateful \
>  ignore_data \
>  ignore_tls_data \
>  max_command_line_len 512 \
>  max_response_line_len 512 \
>  normalize cmds \
>  normalize_cmds { EXPN VRFY RCPT } \
>  alt_max_command_line_len 260 { MAIL } \
>  alt_max_command_line_len 300 { RCPT } \
>  alt_max_command_line_len 500 { HELP HELO ETRN } \
>  alt_max_command_line_len 255 { EXPN VRFY }
>
> preprocessor sfportscan: proto { all } \
>                         scan_type { all } \
>                         sense_level { low } \
>                         memcap { 32768000 } \
>                         watch_ip { <our network> } \
>                         ignore_scanners { <a few hyper active hosts> } \
>                         ignore_scanned { <a few servers hit by heavy traffic> }
>
> preprocessor ssh: server_ports { 22 }
>                  max_encrypted_packets 5 \
>                  max_client_bytes 16384 \
>                  autodetect \
>                  disable_protomismatch \
>                  disable_paysize
>
>
> --
> http://nk99.org/
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list