[Snort-users] HTTP reassembly problem

João Lima joao.pedro.paulino.lima at ...11827...
Tue Oct 9 17:19:07 EDT 2012


Hello,

Does anyone can help me with this issue??

Best regards,

João Pedro Lima

2012/10/9 João Lima <joao.pedro.paulino.lima at ...11827...>

> Sure,
>
> The pcap contains the complete HTTP session of the request. What I expect
> to obtain is packet 4 and 5 in just one "pseudo-packet" that represent the
> complete HTTP request.
>
> Best regards,
>
> João Pedro Lima
>
>
> 2012/10/9 Russ Combs <rcombs at ...1935...>
>
>> Can you send a pcap?
>>
>> On Tue, Oct 9, 2012 at 10:29 AM, João Lima <
>> joao.pedro.paulino.lima at ...11827...> wrote:
>>
>>> Hello,
>>>
>>> I'm having a little problem with the reassembly of HTTP PDUs...
>>>
>>> My scenario is the following: I have one HTTP POST that is spread across
>>>  two TCP packets... What I'm trying to do is to find one message an alert
>>> when it is found in order to be able to process it in a custom system...
>>>
>>> However, I've already tried almost every configuration of stream5 and
>>> http_inspect, and I'm only able to retrieve the first packet of the two
>>> that compose the HTTP POST... All the documentation says it is possible
>>> that Snort is able to reassemble  packets, but I've found no information
>>> about its ability to return the send a unified2Packet with the reassembled
>>> packet...
>>>
>>> The HTTP server is running on port 8081...
>>>
>>> Can you tell me if I'm missing something either on the snort
>>> configuration or in the detection rule??
>>>
>>> Rule used to detect the packet:
>>>
>>> "alert tcp any any -> 192.168.8.177 any (msg:"Action type 50";
>>> sid:1000050; content:"|3c 78 73 64 .......|";)"
>>>
>>> My snort.conf is below:
>>>
>>> # Setup the network addresses you are protecting
>>> ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
>>>
>>> # Set up the external network addresses. Leave as "any" in most
>>> situations
>>> ipvar EXTERNAL_NET any
>>>
>>> # List of DNS servers on your network
>>> ipvar DNS_SERVERS $HOME_NET
>>>
>>> # List of SMTP servers on your network
>>> ipvar SMTP_SERVERS $HOME_NET
>>>
>>> # List of web servers on your network
>>> ipvar HTTP_SERVERS $HOME_NET
>>>
>>>  # List of sql servers on your network
>>> ipvar SQL_SERVERS $HOME_NET
>>>
>>> # List of telnet servers on your network
>>> ipvar TELNET_SERVERS $HOME_NET
>>>
>>> # List of ssh servers on your network
>>> ipvar SSH_SERVERS $HOME_NET
>>>
>>> # List of ftp servers on your network
>>> ipvar FTP_SERVERS $HOME_NET
>>>
>>> # List of sip servers on your network
>>> ipvar SIP_SERVERS $HOME_NET
>>>
>>> # List of ports you run web servers on
>>> portvar HTTP_PORTS
>>> [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]
>>>
>>> # List of ports you want to look for SHELLCODE on.
>>> portvar SHELLCODE_PORTS !80
>>>
>>> # List of ports you might see oracle attacks on
>>> portvar ORACLE_PORTS 1024:
>>>
>>> # List of ports you want to look for SSH connections on:
>>> portvar SSH_PORTS 22
>>>
>>> # List of ports you run ftp servers on
>>> portvar FTP_PORTS [21,2100,3535]
>>>
>>> # List of ports you run SIP servers on
>>> portvar SIP_PORTS [5060,5061,5600]
>>>
>>> # List of file data ports for file inspection
>>> portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>>>
>>> # List of GTP ports for GTP preprocessor
>>> portvar GTP_PORTS [2123,2152,3386]
>>>
>>> # other variables, these should not be modified
>>> ipvar AIM_SERVERS [
>>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>>> ]
>>>
>>> include /etc/nsm/CSIS/local.variables
>>>
>>> # Path to your rules files (this can be a relative path)
>>> # Note for Windows users:  You are advised to make this an absolute path,
>>> # such as:  c:\snort\rules
>>> var RULE_PATH /etc/nsm/rules
>>> var SO_RULE_PATH /etc/nsm/rules
>>> var PREPROC_RULE_PATH /etc/nsm/preproc_rules
>>>
>>> # If you are using reputation preprocessor set these
>>> # Currently there is a bug with relative paths, they are relative to
>>> where snort is
>>> # not relative to snort.conf like the above variables
>>> # This is completely inconsistent with how other vars work, BUG 89986
>>> # Set the absolute path appropriately
>>> var WHITE_LIST_PATH /etc/nsm/rules
>>> var BLACK_LIST_PATH /etc/nsm/rules
>>>
>>> ###################################################
>>> # Step #2: Configure the decoder.  For more information, see
>>> README.decode
>>> ###################################################
>>>
>>> # Stop generic decode events:
>>> config disable_decode_alerts
>>>
>>> # Stop Alerts on experimental TCP options
>>> config disable_tcpopt_experimental_alerts
>>>
>>> # Stop Alerts on obsolete TCP options
>>> config disable_tcpopt_obsolete_alerts
>>>
>>> # Stop Alerts on T/TCP alerts
>>> config disable_tcpopt_ttcp_alerts
>>>
>>> # Stop Alerts on all other TCPOption type events:
>>> config disable_tcpopt_alerts
>>>
>>> # Stop Alerts on invalid ip options
>>> config disable_ipopt_alerts
>>>
>>> # Alert if value in length field (IP, TCP, UDP) is greater th elength of
>>> the packet
>>> # config enable_decode_oversized_alerts
>>>
>>> # Same as above, but drop packet if in Inline mode (requires
>>> enable_decode_oversized_alerts)
>>> # config enable_decode_oversized_drops
>>>
>>> # Configure IP / TCP checksum mode
>>> config checksum_mode: all
>>>
>>> # Configure maximum number of flowbit references.  For more information,
>>> see README.flowbits
>>> # config flowbits_size: 64
>>>
>>> # Configure ports to ignore
>>> # config ignore_ports: tcp 21 6667:6671 1356
>>> # config ignore_ports: udp 1:17 53
>>>
>>> # Configure active response for non inline operation. For more
>>> information, see REAMDE.active
>>> # config response: eth0 attempts 2
>>>
>>> # Configure DAQ related options for inline operation. For more
>>> information, see README.daq
>>> #
>>> # config daq: <type>
>>> # config daq_dir: <dir>
>>> # config daq_mode: <mode>
>>> # config daq_var: <var>
>>> #
>>> # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
>>> # <mode> ::= read-file | passive | inline
>>> # <var> ::= arbitrary <name>=<value passed to DAQ
>>> # <dir> ::= path as to where to look for DAQ module so's
>>>
>>> # Configure specific UID and GID to run snort as after dropping privs.
>>> For more information see snort -h command line options
>>> #
>>> # config set_gid:
>>> # config set_uid:
>>>
>>> # Configure default snaplen. Snort defaults to MTU of in use interface.
>>> For more information see README
>>> #
>>> # config snaplen:
>>> #
>>>
>>> # Configure default bpf_file to use for filtering what traffic reaches
>>> snort. For more information see snort -h command line options (-F)
>>> #
>>> # config bpf_file:
>>> #
>>>
>>> # Configure default log directory for snort to log to.  For more
>>> information see snort -h command line options (-l)
>>> #
>>> # config logdir:
>>>
>>>
>>> ###################################################
>>> # Step #3: Configure the base detection engine.  For more information,
>>> see  README.decode
>>> ###################################################
>>>
>>> # Configure PCRE match limitations
>>> config pcre_match_limit: 3500
>>> config pcre_match_limit_recursion: 1500
>>>
>>> # Configure the detection engine  See the Snort Manual, Configuring
>>> Snort - Includes - Config
>>> config detection: search-method ac-split search-optimize max-pattern-len
>>> 20
>>>
>>> # Configure the event queue.  For more information, see
>>> README.event_queue
>>> config event_queue: max_queue 8 log 3 order_events content_length
>>>
>>> ###################################################
>>> ## Configure GTP if it is to be used.
>>> ## For more information, see README.GTP
>>> ####################################################
>>>
>>> # config enable_gtp
>>>
>>> ###################################################
>>> # Per packet and rule latency enforcement
>>> # For more information see README.ppm
>>> ###################################################
>>>
>>> # Per Packet latency configuration
>>> #config ppm: max-pkt-time 250, \
>>> #   fastpath-expensive-packets, \
>>> #   pkt-log
>>>
>>> # Per Rule latency configuration
>>> #config ppm: max-rule-time 200, \
>>> #   threshold 3, \
>>> #   suspend-expensive-rules, \
>>> #   suspend-timeout 20, \
>>> #   rule-log alert
>>>
>>> ###################################################
>>> # Configure Perf Profiling for debugging
>>> # For more information see README.PerfProfiling
>>> ###################################################
>>>
>>> #config profile_rules: print all, sort avg_ticks
>>> #config profile_preprocs: print all, sort avg_ticks
>>>
>>> ###################################################
>>> # Configure protocol aware flushing
>>> # For more information see README.stream5
>>> ###################################################
>>> config paf_max: 16000
>>>
>>> ###################################################
>>> # Step #4: Configure dynamic loaded libraries.
>>> # For more information, see Snort Manual, Configuring Snort - Dynamic
>>> Modules
>>> ###################################################
>>>
>>> # path to dynamic preprocessor libraries
>>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>>
>>> # path to base preprocessor engine
>>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>
>>> # path to dynamic rules libraries
>>> dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>>
>>> ###################################################
>>> # Step #5: Configure preprocessors
>>> # For more information, see the Snort Manual, Configuring Snort -
>>> Preprocessors
>>> ###################################################
>>>
>>> # GTP Control Channle Preprocessor. For more information, see README.GTP
>>> # preprocessor gtp: ports { 2123 3386 2152 }
>>>
>>> # Inline packet normalization. For more information, see README.normalize
>>> # Does nothing in IDS mode
>>> preprocessor normalize_ip4
>>> preprocessor normalize_tcp: ips ecn stream
>>> preprocessor normalize_icmp4
>>> preprocessor normalize_ip6
>>> preprocessor normalize_icmp6
>>>
>>> # Target-based IP defragmentation.  For more inforation, see README.frag3
>>> preprocessor frag3_global: max_frags 65536
>>> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
>>> 10 min_fragment_length 100 timeout 180
>>>
>>> # Target-Based stateful inspection/stream reassembly.  For more
>>> inforation, see README.stream5
>>> preprocessor stream5_global: track_tcp yes, \
>>>    track_udp yes, \
>>>    track_icmp no, \
>>>    max_tcp 262144, \
>>>    max_udp 131072, \
>>>    max_active_responses 2, \
>>>    min_response_seconds 5
>>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>>> 180, \
>>>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>>>     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137
>>> 139 143 \
>>>         161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666
>>> 6667 6668 6669 \
>>>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
>>> 32779, \
>>>     ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995
>>> 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802
>>> 7777 7779 \
>>>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
>>> 7913 7914 7915 7916 \
>>>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8088 8118 8123
>>> 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
>>> preprocessor stream5_udp: timeout 180
>>>
>>> # performance statistics.  For more information, see the Snort Manual,
>>> Configuring Snort - Preprocessors - Performance Monitor
>>> preprocessor perfmonitor: time 300 file
>>> /nsm/sensor_data/onion-desktop-eth0/snort.stats pktcnt 10000
>>>
>>> # HTTP normalization and anomaly detection.  For more information, see
>>> README.http_inspect
>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> compress_depth 65535 decompress_depth 65535
>>> preprocessor http_inspect_server: server default \
>>>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
>>> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
>>> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
>>> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
>>> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>>     chunk_length 500000 \
>>>     server_flow_depth 0 \
>>>     client_flow_depth 0 \
>>>     post_depth 65495 \
>>>     oversize_dir_length 500 \
>>>     max_header_length 750 \
>>>     max_headers 100 \
>>>     max_spaces 0 \
>>>     small_chunk_length { 10 5 } \
>>>     ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>> 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8081 8088
>>> 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371
>>> 55555 } \
>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>     enable_cookie \
>>>     extended_response_inspection \
>>>     inspect_gzip \
>>>     normalize_utf \
>>>     unlimited_decompress \
>>>     normalize_javascript \
>>>     apache_whitespace no \
>>>     ascii no \
>>>     bare_byte no \
>>>     directory no \
>>>     double_decode no \
>>>     iis_backslash no \
>>>     iis_delimiter no \
>>>     iis_unicode no \
>>>     multi_slash no \
>>>     utf_8 no \
>>>     u_encode yes \
>>>     webroot no
>>>
>>> # ONC-RPC normalization and anomaly detection.  For more information,
>>> see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>>> 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments
>>> no_alert_incomplete
>>>
>>> # Back Orifice detection.
>>> preprocessor bo
>>>
>>> # FTP / Telnet normalization and anomaly detection.  For more
>>> information, see README.ftptelnet
>>> preprocessor ftp_telnet: global inspection_type stateful
>>> encrypted_traffic no check_encrypted
>>> preprocessor ftp_telnet_protocol: telnet \
>>>     ayt_attack_thresh 20 \
>>>     normalize ports { 23 } \
>>>     detect_anomalies
>>> preprocessor ftp_telnet_protocol: ftp server default \
>>>     def_max_param_len 100 \
>>>     ports { 21 2100 3535 } \
>>>     telnet_cmds yes \
>>>     ignore_telnet_erase_cmds yes \
>>>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>>>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>>>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>>>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>>>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>>>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>>>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>>>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>>>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>>>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>>>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD
>>> QUIT REIN STOU SYST XCUP XPWD } \
>>>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
>>> XMKD } \
>>>     alt_max_param_len 256 { CWD RNTO } \
>>>     alt_max_param_len 400 { PORT } \
>>>     alt_max_param_len 512 { SIZE } \
>>>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>>>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>>>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>>>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>>>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>>>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>>>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>>>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>>>     cmd_validity ALLO < int [ char R int ] > \
>>>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>>>     cmd_validity MACB < string > \
>>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>>     cmd_validity MODE < char ASBCZ > \
>>>     cmd_validity PORT < host_port > \
>>>     cmd_validity PROT < char CSEP > \
>>>     cmd_validity STRU < char FRPO [ string ] > \
>>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
>>> number ] } >
>>> preprocessor ftp_telnet_protocol: ftp client default \
>>>     max_resp_len 256 \
>>>     bounce yes \
>>>     ignore_telnet_erase_cmds yes \
>>>     telnet_cmds yes
>>>
>>>
>>> # SMTP normalization and anomaly detection.  For more information, see
>>> README.SMTP
>>> preprocessor smtp: ports { 25 465 587 691 } \
>>>     inspection_type stateful \
>>>     b64_decode_depth 0 \
>>>     qp_decode_depth 0 \
>>>     bitenc_decode_depth 0 \
>>>     uu_decode_depth 0 \
>>>     log_mailfrom \
>>>     log_rcptto \
>>>     log_filename \
>>>     log_email_hdrs \
>>>     normalize cmds \
>>>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
>>> ESND ESOM ETRN EVFY } \
>>>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
>>> RSET SAML SEND SOML } \
>>>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
>>> X-DRCP X-ERCP X-EXCH50 } \
>>>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>>> XLICENSE XQUE XSTA XTRN XUSR } \
>>>     max_command_line_len 512 \
>>>     max_header_line_len 1000 \
>>>     max_response_line_len 512 \
>>>     alt_max_command_line_len 260 { MAIL } \
>>>     alt_max_command_line_len 300 { RCPT } \
>>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA
>>> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
>>> XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>>>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
>>> ESOM ETRN EVFY } \
>>>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
>>> SAML SEND SOML } \
>>>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
>>> X-ERCP X-EXCH50 } \
>>>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>>> XLICENSE XQUE XSTA XTRN XUSR } \
>>>     xlink2state { enabled }
>>>
>>> # Portscan detection.  For more information, see README.sfportscan
>>> # preprocessor sfportscan: proto  { all } memcap { 10000000 }
>>> sense_level { low }
>>>
>>> # ARP spoof detection.  For more information, see the Snort Manual -
>>> Configuring Snort - Preprocessors - ARP Spoof Preprocessor
>>> # preprocessor arpspoof
>>> # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>>
>>> # SSH anomaly detection.  For more information, see README.ssh
>>> preprocessor ssh: server_ports { 22 } \
>>>                   autodetect \
>>>                   max_client_bytes 19600 \
>>>                   max_encrypted_packets 20 \
>>>                   max_server_version_len 100 \
>>>                   enable_respoverflow enable_ssh1crc32 \
>>>                   enable_srvoverflow enable_protomismatch
>>>
>>> # SMB / DCE-RPC normalization and anomaly detection.  For more
>>> information, see README.dcerpc2
>>> preprocessor dcerpc2: memcap 102400, events [co ]
>>> preprocessor dcerpc2_server: default, policy WinXP, \
>>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
>>>
>>> # DNS anomaly detection.  For more information, see README.dns
>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>>
>>> # SSL anomaly detection and traffic bypass.  For more information, see
>>> README.ssl
>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
>>> 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914
>>> 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
>>>
>>> # SDF sensitive data preprocessor.  For more information see
>>> README.sensitive_data
>>> preprocessor sensitive_data: alert_threshold 25
>>>
>>> # SIP Session Initiation Protocol preprocessor.  For more information
>>> see README.sip
>>> preprocessor sip: max_sessions 40000, \
>>>    ports { 5060 5061 5600 }, \
>>>    methods { invite \
>>>              cancel \
>>>              ack \
>>>              bye \
>>>              register \
>>>              options \
>>>              refer \
>>>              subscribe \
>>>              update \
>>>              join \
>>>              info \
>>>              message \
>>>              notify \
>>>              benotify \
>>>              do \
>>>              qauth \
>>>              sprack \
>>>              publish \
>>>              service \
>>>              unsubscribe \
>>>              prack }, \
>>>    max_uri_len 512, \
>>>    max_call_id_len 80, \
>>>    max_requestName_len 20, \
>>>    max_from_len 256, \
>>>    max_to_len 256, \
>>>    max_via_len 1024, \
>>>    max_contact_len 512, \
>>>    max_content_len 2048
>>>
>>> # IMAP preprocessor.  For more information see README.imap
>>> preprocessor imap: \
>>>    ports { 143 } \
>>>    b64_decode_depth 0 \
>>>    qp_decode_depth 0 \
>>>    bitenc_decode_depth 0 \
>>>    uu_decode_depth 0
>>>
>>> # POP preprocessor. For more information see README.pop
>>> preprocessor pop: \
>>>    ports { 110 } \
>>>    b64_decode_depth 0 \
>>>    qp_decode_depth 0 \
>>>    bitenc_decode_depth 0 \
>>>    uu_decode_depth 0
>>>
>>> # Modbus preprocessor. For more information see README.modbus
>>> preprocessor modbus: ports { 502 }
>>>
>>> # DNP3 preprocessor. For more information see README.dnp3
>>> preprocessor dnp3: ports { 20000 } \
>>>    memcap 262144 \
>>>    check_crc
>>>
>>> # Reputation preprocessor. For more information see README.reputation
>>> preprocessor reputation: \
>>>    memcap 500, \
>>>    priority whitelist, \
>>>    nested_ip inner, \
>>>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>>>    blacklist $BLACK_LIST_PATH/black_list.rules
>>>
>>> ###################################################
>>> # Step #6: Configure output plugins
>>> # For more information, see Snort Manual, Configuring Snort - Output
>>> Modules
>>> ###################################################
>>>
>>> # unified2
>>> # Recommended for most installs
>>> output unified2: filename snort.unified2, limit 128
>>>
>>> include /etc/nsm/CSIS/fifo.output
>>>
>>> # Additional configuration for specific types of installs
>>> # output alert_unified2: filename snort.alert, limit 128, nostamp
>>> # output log_unified2: filename snort.log, limit 128, nostamp
>>>
>>> # syslog
>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>>
>>> # pcap
>>> # output log_tcpdump: tcpdump.log
>>>
>>> # database
>>> # output database: alert, <db_type>, user=<username> password=<password>
>>> test dbname=<name> host=<hostname>
>>> # output database: log, <db_type>, user=<username> password=<password>
>>> test dbname=<name> host=<hostname>
>>>
>>> # prelude
>>> # output alert_prelude
>>>
>>> # metadata reference data.  do not modify these lines
>>> include classification.config
>>> include reference.config
>>>
>>>
>>> ###################################################
>>> # Step #7: Customize your rule set
>>> # For more information, see Snort Manual, Writing Snort Rules
>>> #
>>> # NOTE: All categories are enabled in this conf file
>>> ###################################################
>>>
>>> # site specific rules
>>> include $RULE_PATH/local.rules
>>>
>>> include $RULE_PATH/specificationBased.rules
>>>
>>> # rules downloaded by PulledPork
>>> include $RULE_PATH/downloaded.rules
>>>
>>> ###################################################
>>> # Step #8: Customize your preprocessor and decoder alerts
>>> # For more information, see README.decoder_preproc_rules
>>> ###################################################
>>>
>>> # decoder and preprocessor event rules
>>> # include $PREPROC_RULE_PATH/preprocessor.rules
>>> # include $PREPROC_RULE_PATH/decoder.rules
>>> # include $PREPROC_RULE_PATH/sensitive-data.rules
>>>
>>> ###################################################
>>> # Step #9: Customize your Shared Object Snort Rules
>>> # For more information, see
>>> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
>>> ###################################################
>>>
>>> # dynamic library rules
>>> include $SO_RULE_PATH/so_rules.rules
>>>
>>> # Event thresholding or suppression commands. See threshold.conf
>>> include threshold.conf
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Don't let slow site performance ruin your business. Deploy New Relic APM
>>> Deploy New Relic app performance management and know exactly
>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>>> http://p.sf.net/sfu/newrelic-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121009/76117b43/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: StatusUpdateSequence3.pcap
Type: application/octet-stream
Size: 2491 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121009/76117b43/attachment.obj>


More information about the Snort-users mailing list