[Snort-users] Question about rules

Ricardo Barbosa ricardobarbosams at ...6873...
Wed Jan 27 14:00:33 EST 2010


following output of command

root at ...14740...:~# ldd /usr/sbin/snort
        linux-gate.so.1 =>  (0x008f2000)
        libpcre.so.3 => /lib/libpcre.so.3 (0x005dc000)
        libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0x001a8000)
        libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0x008f3000)
        libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0x00cce000)
        libprelude.so.2 => /usr/lib/libprelude.so.2 (0x001db000)
        libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00994000)
        libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00ef8000)
        libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00e7f000)
        libz.so.1 => /lib/libz.so.1 (0x0033f000)
        libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00110000)
        libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so..0 (0x0018c000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x0078d000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00355000)
        /lib/ld-linux.so.2 (0x00c5c000)
        libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00306000)
root at ...14740...:~#

Regards.
--- Em qua, 27/1/10, rmkml <rmkml at ...953...> escreveu:

De: rmkml <rmkml at ...953...>
Assunto: Re: [Snort-users] Question about rules
Para: "Ricardo Barbosa" <ricardobarbosams at ...6873...>
Cc: rmkml at ...953...
Data: Quarta-feira, 27 de Janeiro de 2010, 9:08

/usr/bin/ldd /usr/sbin/snort  ?
Regards
Rmkml


On Wed, 27 Jan 2010, Ricardo Barbosa wrote:

> hello rmkml
>
> tested with the parameter-k none, however it did not work
> the lib pcap installed but I noticed this in the logs that he does not use it.
> getting a "snort not using pcap frames. Do I need to use to snort pcap lib?
> Is this the cause of it not quite get the http payload. Because I changed the rule and how
> I am doing tests from the browser text links changed the content:"Links" and it worked.
> I put the word "Links" because it oque appears in the wireshark logs. How do I enable the lib pcap with snort?
>
> I thank.
>
> Regards,
>
> --- Em qua, 27/1/10, rmkml <rmkml at ...953...> escreveu:
>
> De: rmkml <rmkml at ...953...>
> Assunto: Re: [Snort-users] Question about rules
> Para: "Ricardo Barbosa" <ricardobarbosams at ...6873...>
> Cc: rmkml at ...953...
> Data: Quarta-feira, 27 de Janeiro de 2010, 7:46
>
> ok thx you,
> maybe you have a (network) pcap please?
> do you have tested adding "-k none" on cmd line start snort ?
> Regards
> Rmkml
>
>
> On Wed, 27 Jan 2010, Ricardo Barbosa wrote:
>
>> Hi rmkml
>>
>> answering questions
>>
>>> what snort version you test please?
>>
>> root at ...14740...:~# snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.8.4.1 (Build 38)  
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/team.html
>>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>            Using PCRE version: 7.8 2008-09-05
>>
>> root at ...14740...:~#
>>
>>
>>> Do you send your conf?
>>
>> /etc/snort/snort.debian.conf
>> DEBIAN_SNORT_STARTUP="boot"
>> DEBIAN_SNORT_HOME_NET="20.0.0.0/8"
>> DEBIAN_SNORT_OPTIONS=""
>> DEBIAN_SNORT_INTERFACE="eth0"
>> DEBIAN_SNORT_SEND_STATS="true"
>> DEBIAN_SNORT_STATS_RCPT="root"
>> DEBIAN_SNORT_STATS_THRESHOLD="1"
>> /etc/snort/snort.conf
>> var HOME_NET $eth0_ADDRESS
>> var EXTERNAL_NET any
>> var DNS_SERVERS $HOME_NET
>> var SMTP_SERVERS $HOME_NET
>> var HTTP_SERVERS $HOME_NET
>> var SQL_SERVERS $HOME_NET
>> var TELNET_SERVERS $HOME_NET
>> var SNMP_SERVERS $HOME_NET
>> portvar HTTP_PORTS 80
>> portvar SHELLCODE_PORTS !80
>> portvar ORACLE_PORTS 1521
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>> var RULE_PATH /etc/snort/rules
>> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>> dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
>> dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
>> preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>                               track_udp no
>> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>> preprocessor http_inspect: global \
>>     iis_unicode_map unicode.map 1252
>> preprocessor http_inspect_server: server default \
>>     profile all ports { 80 8080 8180 } oversize_dir_length 500
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> preprocessor ftp_telnet: global \
>>    encrypted_traffic yes \
>>    inspection_type stateful
>> preprocessor ftp_telnet_protocol: telnet \
>>    normalize \
>>    ayt_attack_thresh 200
>> preprocessor ftp_telnet_protocol: ftp server default \
>>    def_max_param_len 100 \
>>    alt_max_param_len 200 { CWD } \
>>    cmd_validity MODE < char ASBCZ > \
>>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>>    telnet_cmds yes \
>>    data_chan
>> preprocessor ftp_telnet_protocol: ftp client default \
>>    max_resp_len 256 \
>>    bounce yes \
>>    telnet_cmds yes
>> preprocessor smtp: \
>>   ports { 25 587 691 } \
>>   inspection_type stateful \
>>   normalize cmds \
>>   normalize_cmds { EXPN VRFY RCPT } \
>>   alt_max_command_line_len 260 { MAIL } \
>>   alt_max_command_line_len 300 { RCPT } \
>>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>>   alt_max_command_line_len 255 { EXPN VRFY }
>> preprocessor sfportscan: proto  { all } \
>>                          memcap { 10000000 } \
>>                          sense_level { low }
>> preprocessor dcerpc2
>> preprocessor dcerpc2_server: default
>> preprocessor dns: \
>>     ports { 53 } \
>>     enable_rdata_overflow
>> preprocessor ssl: noinspect_encrypted, trustservers
>> output log_tcpdump: tcpdump.log
>> include classification.config
>> include reference.config
>> include $RULE_PATH/local.rules
>> include $RULE_PATH/bad-traffic.rules
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/community-exploit.rules
>> include $RULE_PATH/scan.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/community-dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/community-sql-injection.rules
>> include $RULE_PATH/community-web-client.rules
>> include $RULE_PATH/community-web-dos.rules
>> include $RULE_PATH/community-web-iis.rules
>> include $RULE_PATH/community-web-misc.rules
>> include $RULE_PATH/community-web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/misc.rules
>> include $RULE_PATH/attack-responses.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/community-oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/community-ftp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/community-smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/community-imap.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/nntp.rules
>> include $RULE_PATH/community-nntp.rules
>> include $RULE_PATH/community-sip.rules
>> include $RULE_PATH/other-ids.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/backdoor.rules
>> include $RULE_PATH/community-bot.rules
>> include $RULE_PATH/community-virus.rules
>> include $RULE_PATH/experimental.rules
>> include threshold.conf
>>
>>> snort cmd line starting please?
>>
>> /usr/sbin/snort -m 027 -D -d -v -l /var/log/snort -u snort -g snort
>> -c /etc/snort/snort.conf -S HOME_NET=[10.0.0.0/8] -i eth0
>>
>>> for example, maybe disable checksum with '-k none' on cmd line...
>>> you have created a html page (http reply server side), and you have
>>> created a snort rule on client (to server) side...
>>> Regards
>> In desperation, I tried the following rules
>>
>> alert tcp 10.0.0.0/8 80 -> any any (content:"teste rule"; msg:"TEST
>> HTTP"; sid:100000000;)
>> alert tcp any any <> any any (content:"teste rule"; msg:"TEST HTTP";
>> sid:100000000;)
>> alert tcp any any <> any any (content:"teste rule"; http_client_body;
>> msg:"TEST HTTP"; sid:100000000; depth:1000;)
>>
>> without sucess in all.
>>
>> no idea where i can be wrong or missing some pre-processador. I thank
>>
>> Regards.
>>
>>
>>
>>
>>       ____________________________________________________________________________________
>> Veja quais são os assuntos do momento no Yahoo! +Buscados
>> http://br.maisbuscados.yahoo.com
>
>
>      ____________________________________________________________________________________
> Veja quais são os assuntos do momento no Yahoo! +Buscados
> http://br.maisbuscados.yahoo.com


      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100127/ed49fa26/attachment.html>


More information about the Snort-users mailing list