[Snort-users] Trying to trouble shoot snort isntall.

Matt Watchinski mwatchinski at ...1935...
Wed Feb 3 11:14:14 EST 2010


If you didn't compile with

./configure --enable-decoder-preprocessor-rules

Then alerting works the old way.

Cheers,
-matt

On Wed, Feb 3, 2010 at 11:00 AM, Andy Berryman <aberryman at ...14758...> wrote:

> Well, if I'm not loading the preprocessor rules, why do I get http_inspect
> alerts and portscan alerts? Do the preprocessors generate alerts on the
> default settings regardless if a rule is applied or not?
>
> Thanks,
> Andy
>
> -----Original Message-----
> From: Nigel Houghton [mailto:nhoughton at ...1935...]
> Sent: Wednesday, February 03, 2010 9:43 AM
> To: Andy Berryman
> Cc: Snort Users List
> Subject: Re: [Snort-users] Trying to trouble shoot snort isntall.
>
> On Wed, Feb 3, 2010 at 10:13 AM, Matt Watchinski
> <mwatchinski at ...1935...> wrote:
> > Did you tell snort you want to use the preproc and decoder rules?  I
> don't
> > see the rules included in your pasted conf.  You have to first enable the
> > use of this feature with:
> >
> > ./configure --enable-decoder-preprocessor-rules
> >
> > Then add the rules files from here:
> >
> > src/snort-2.8.5.1/preproc_rules/decoder.rules
> > src/snort-2.8.5.1/preproc_rules/preprocessor.rules
> >
> > Cheers,
> > -matt
> >
> > On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman at ...14758...>
> wrote:
> >>
> >> Can someone point me in the right direction please? I'm trying to figure
> >> out if I'm chasing my tail here. Basically when I start snort I tail
> syslog
> >> and see this.
> >>
> >>
> >>
> >> Feb  2 21:26:59 (none) snort[19257]:
> >> +++++++++++++++++++++++++++++++++++++++++++++++++++
> >>
> >> Feb  2 21:26:59 (none) snort[19257]: Initializing rule chains...
> >>
> >> Feb  2 21:27:15 (none) snort[19257]: 5866 Snort rules read
> >>
> >> Feb  2 21:27:15 (none) snort[19257]:     5866 detection rules
> >>
> >> Feb  2 21:27:15 (none) snort[19257]:     0 decoder rules
> >>
> >> Feb  2 21:27:15 (none) snort[19257]:     0 preprocessor rules
> >>
> >> Feb  2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624
> >> Chain Headers
> >>
> >> Feb  2 21:27:15 (none) snort[19257]: 0 Dynamic rules
> >>
> >> Feb  2 21:27:15 (none) snort[19257]:
> >> +++++++++++++++++++++++++++++++++++++++++++++++++++
> >>
> >>
> >>
> >>
> >>
> >> Doesn't that tell me that it's not loading any of the preprocessor,
> >> decoder, or dynamic rules?
> >>
> >>
> >>
> >>
> >>
> >> Here is more from syslog where it says it is loading them I thought.
> >>
> >> Loading all dynamic engine libs from /snort_lib/snort_dynamicengine...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic engine
> >> /snort_lib/snort_dynamicengine/libsf_engine.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
> engine
> >> libs from /snort_lib/snort_dynamicengine
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs
> >> from /snort_lib/snort_dynamicrules...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/bad-traffic.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/chat.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >>  /snort_lib/snort_dynamicrules/dos.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/exploit.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/imap.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/misc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/multimedia.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/netbios.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/nntp.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/p2p.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/smtp.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/sql.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/web-client.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/web-misc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/web-activex.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> >> /snort_lib/snort_dynamicrules/web-iis.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
> >> detection libs from /snort_lib/snort_dynamicrules
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor
> libs
> >> from /snort_lib/snort_dynamicpreprocessor...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
> >> library /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
> >> library /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
> >> library /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
> >> library
> /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
> >> library /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
> >> library /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
> >> library /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so...
> >>
> >> Feb  2 21:30:14 (none) snort[19434]: done
> >>
> >> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
> >> preprocessor libs from /snort_lib/snort_dynamicpreprocessor
> >>
> >>
> >>
> >>
> >>
> >> Here's my snort.conf
> >>
> >>
> >>
> >> var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24]
> >>
> >> var EXTERNAL_NET !$HOME_NET
> >>
> >> var DNS_SERVERS 10.27.1.2
> >>
> >> var SMTP_SERVERS $HOME_NET
> >>
> >> var HTTP_SERVERS $HOME_NET
> >>
> >> var SQL_SERVERS $HOME_NET
> >>
> >> var TELNET_SERVERS $HOME_NET
> >>
> >> var SNMP_SERVERS $HOME_NET
> >>
> >> var HTTP_PORTS 80
> >>
> >> var SHELLCODE_PORTS !80
> >>
> >> var ORACLE_PORTS 1521
> >>
> >> var SSH_PORTS 22
> >>
> >> var AIM_SERVERS
> >> [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
> >>
> >> var RULE_PATH  /snort/conf
> >>
> >> var SORULE_PATH /snort/conf/so_rules
> >>
> >> #config detection: search-method ac
> >>
> >> config disable_decode_alerts
> >>
> >> config disable_tcpopt_experimental_alerts
> >>
> >> config profile_rules: print 20, sort total_ticks, filename
> >> rule_profiles.txt
> >>
> >> dynamicdetection directory /snort_lib/snort_dynamicrules
> >>
> >> dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor
> >>
> >> dynamicengine directory /snort_lib/snort_dynamicengine
> >>
> >> config flowbits_size: 256
> >>
> >> include classification.config
> >>
> >> include reference.config
> >>
> >> include $RULE_PATH/general.rules
> >>
> >> include $RULE_PATH/local.rules
> >>
> >> #include $RULE_PATH/so.rules
> >>
> >> include $SORULE_PATH/bad-traffic.rules
> >>
> >> include $SORULE_PATH/chat.rules
> >>
> >> include $SORULE_PATH/dos.rules
> >>
> >> include $SORULE_PATH/exploit.rules
> >>
> >> include $SORULE_PATH/imap.rules
> >>
> >> include $SORULE_PATH/misc.rules
> >>
> >> include $SORULE_PATH/multimedia.rules
> >>
> >> include $SORULE_PATH/netbios.rules
> >>
> >> include $SORULE_PATH/nntp.rules
> >>
> >> include $SORULE_PATH/p2p.rules
> >>
> >> include $SORULE_PATH/smtp.rules
> >>
> >> include $SORULE_PATH/sql.rules
> >>
> >> include $SORULE_PATH/web-client.rules
> >>
> >> include $SORULE_PATH/web-misc.rules
> >>
> >> preprocessor frag3_global: max_frags 65536
> >>
> >> preprocessor frag3_engine: policy first detect_anomalies timeout 1800
> >>
> >> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
> >>
> >> preprocessor stream5_tcp: policy first
> >>
> >> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> >>
> >> preprocessor http_inspect_server: server default profile all ports { 80
> >> 8080 8180 } oversize_dir_length 500 no_alerts
> >>
> >> preprocessor rpc_decode: 111 32771
> >>
> >> #preprocessor bo
> >>
> >> #preprocessor flow: stats_interval 0 hash 2
> >>
> >> preprocessor sfportscan: proto  { all } \
> >>
> >>                          scan_type { all } \
> >>
> >>                          memcap { 10000000 } \
> >>
> >>                          sense_level { medium }
> >>
> >> preprocessor perfmonitor: \
> >>
> >> time 30 events flow max console pktcnt 10000
> >>
> >> preprocessor arpspoof
> >>
> >> preprocessor dcerpc2
> >>
> >> #preprocessor ssl: noinspect_encrypted
> >>
> >> output queue: /var/log/snort/queue/ /snort/conf/sidfile
> >>
> >> #output alert_syslog: LOG_AUTH LOG_ALERT
> >>
> >>
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Andy Berryman
> >>
> >> Cymtec Systems
> >>
> >> support at ...14758...
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> The Planet: dedicated and managed hosting, cloud storage, colocation
> >> Stay online with enterprise data centers and the best network in the
> >> business
> >> Choose flexible plans and management services without long-term
> contracts
> >> Personal 24x7 support from experience hosting pros just a phone call
> away.
> >> http://p.sf.net/sfu/theplanet-com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
> > Matthew Watchinski
> > Sr. Director Vulnerability Research Team (VRT)
> > Sourcefire, Inc.
> > Office: 410-423-1928
> > http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
> >
> >
> ------------------------------------------------------------------------------
> > The Planet: dedicated and managed hosting, cloud storage, colocation
> > Stay online with enterprise data centers and the best network in the
> > business
> > Choose flexible plans and management services without long-term contracts
> > Personal 24x7 support from experience hosting pros just a phone call
> away.
> > http://p.sf.net/sfu/theplanet-com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> Also, if the shared object rules didn't get activated there is some
> more output from snort after the output you pasted that would be
> useful.
>
> Make sure you dumped the shared object rule stubs into your SORULE_PATH.
>
>  # snort -c /snort/conf/snort.conf
> --dump-dynamic-rules=/snort/conf/so_rules
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100203/857e8beb/attachment.html>


More information about the Snort-users mailing list