[Snort-users] HTTP reassembly problem

João Lima joao.pedro.paulino.lima at ...11827...
Wed Oct 10 04:52:31 EDT 2012


Yes I can.

alert tcp any any -> 192.168.8.177 8081 (msg:"action type 50"; sid:1000050;
content:"|3c 78 73 64 3a 53 74 61 74 75 73 55 70 64 61 74 65 3e|";)

Sorry. Should have sent the complete rule the first time.

Best regards,

João Lima

2012/10/9 Joel Esler <jesler at ...1935...>

> I see the pcap, but I don't see a complete rule to test with.
>
> Can you provide that?
>
>
> On Oct 9, 2012, at 5:19 PM, João Lima <joao.pedro.paulino.lima at ...13704......>
> wrote:
>
> Hello,
>
> Does anyone can help me with this issue??
>
> Best regards,
>
> João Pedro Lima
>
> 2012/10/9 João Lima <joao.pedro.paulino.lima at ...11827...>
>
>> Sure,
>>
>> The pcap contains the complete HTTP session of the request. What I expect
>> to obtain is packet 4 and 5 in just one "pseudo-packet" that represent the
>> complete HTTP request.
>>
>> Best regards,
>>
>> João Pedro Lima
>>
>>
>> 2012/10/9 Russ Combs <rcombs at ...1935...>
>>
>>> Can you send a pcap?
>>>
>>> On Tue, Oct 9, 2012 at 10:29 AM, João Lima <
>>> joao.pedro.paulino.lima at ...11827...> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm having a little problem with the reassembly of HTTP PDUs...
>>>>
>>>> My scenario is the following: I have one HTTP POST that is spread
>>>> across  two TCP packets... What I'm trying to do is to find one message an
>>>> alert when it is found in order to be able to process it in a custom
>>>> system...
>>>>
>>>> However, I've already tried almost every configuration of stream5 and
>>>> http_inspect, and I'm only able to retrieve the first packet of the two
>>>> that compose the HTTP POST... All the documentation says it is possible
>>>> that Snort is able to reassemble  packets, but I've found no information
>>>> about its ability to return the send a unified2Packet with the reassembled
>>>> packet...
>>>>
>>>> The HTTP server is running on port 8081...
>>>>
>>>> Can you tell me if I'm missing something either on the snort
>>>> configuration or in the detection rule??
>>>>
>>>> Rule used to detect the packet:
>>>>
>>>> "alert tcp any any -> 192.168.8.177 any (msg:"Action type 50";
>>>> sid:1000050; content:"|3c 78 73 64 .......|";)"
>>>>
>>>> My snort.conf is below:
>>>>
>>>> # Setup the network addresses you are protecting
>>>> ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
>>>>
>>>> # Set up the external network addresses. Leave as "any" in most
>>>> situations
>>>> ipvar EXTERNAL_NET any
>>>>
>>>> # List of DNS servers on your network
>>>> ipvar DNS_SERVERS $HOME_NET
>>>>
>>>> # List of SMTP servers on your network
>>>> ipvar SMTP_SERVERS $HOME_NET
>>>>
>>>> # List of web servers on your network
>>>> ipvar HTTP_SERVERS $HOME_NET
>>>>
>>>>  # List of sql servers on your network
>>>> ipvar SQL_SERVERS $HOME_NET
>>>>
>>>> # List of telnet servers on your network
>>>> ipvar TELNET_SERVERS $HOME_NET
>>>>
>>>> # List of ssh servers on your network
>>>> ipvar SSH_SERVERS $HOME_NET
>>>>
>>>> # List of ftp servers on your network
>>>> ipvar FTP_SERVERS $HOME_NET
>>>>
>>>> # List of sip servers on your network
>>>> ipvar SIP_SERVERS $HOME_NET
>>>>
>>>> # List of ports you run web servers on
>>>> portvar HTTP_PORTS
>>>> [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]
>>>>
>>>> # List of ports you want to look for SHELLCODE on.
>>>> portvar SHELLCODE_PORTS !80
>>>>
>>>> # List of ports you might see oracle attacks on
>>>> portvar ORACLE_PORTS 1024:
>>>>
>>>> # List of ports you want to look for SSH connections on:
>>>> portvar SSH_PORTS 22
>>>>
>>>> # List of ports you run ftp servers on
>>>> portvar FTP_PORTS [21,2100,3535]
>>>>
>>>> # List of ports you run SIP servers on
>>>> portvar SIP_PORTS [5060,5061,5600]
>>>>
>>>> # List of file data ports for file inspection
>>>> portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>>>>
>>>> # List of GTP ports for GTP preprocessor
>>>> portvar GTP_PORTS [2123,2152,3386]
>>>>
>>>> # other variables, these should not be modified
>>>> ipvar AIM_SERVERS [
>>>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>>>> ]
>>>>
>>>> include /etc/nsm/CSIS/local.variables
>>>>
>>>> # Path to your rules files (this can be a relative path)
>>>> # Note for Windows users:  You are advised to make this an absolute
>>>> path,
>>>> # such as:  c:\snort\rules
>>>> var RULE_PATH /etc/nsm/rules
>>>> var SO_RULE_PATH /etc/nsm/rules
>>>> var PREPROC_RULE_PATH /etc/nsm/preproc_rules
>>>>
>>>> # If you are using reputation preprocessor set these
>>>> # Currently there is a bug with relative paths, they are relative to
>>>> where snort is
>>>> # not relative to snort.conf like the above variables
>>>> # This is completely inconsistent with how other vars work, BUG 89986
>>>> # Set the absolute path appropriately
>>>> var WHITE_LIST_PATH /etc/nsm/rules
>>>> var BLACK_LIST_PATH /etc/nsm/rules
>>>>
>>>> ###################################################
>>>> # Step #2: Configure the decoder.  For more information, see
>>>> README.decode
>>>> ###################################################
>>>>
>>>> # Stop generic decode events:
>>>> config disable_decode_alerts
>>>>
>>>> # Stop Alerts on experimental TCP options
>>>> config disable_tcpopt_experimental_alerts
>>>>
>>>> # Stop Alerts on obsolete TCP options
>>>> config disable_tcpopt_obsolete_alerts
>>>>
>>>> # Stop Alerts on T/TCP alerts
>>>> config disable_tcpopt_ttcp_alerts
>>>>
>>>> # Stop Alerts on all other TCPOption type events:
>>>> config disable_tcpopt_alerts
>>>>
>>>> # Stop Alerts on invalid ip options
>>>> config disable_ipopt_alerts
>>>>
>>>> # Alert if value in length field (IP, TCP, UDP) is greater th elength
>>>> of the packet
>>>> # config enable_decode_oversized_alerts
>>>>
>>>> # Same as above, but drop packet if in Inline mode (requires
>>>> enable_decode_oversized_alerts)
>>>> # config enable_decode_oversized_drops
>>>>
>>>> # Configure IP / TCP checksum mode
>>>> config checksum_mode: all
>>>>
>>>> # Configure maximum number of flowbit references.  For more
>>>> information, see README.flowbits
>>>> # config flowbits_size: 64
>>>>
>>>> # Configure ports to ignore
>>>> # config ignore_ports: tcp 21 6667:6671 1356
>>>> # config ignore_ports: udp 1:17 53
>>>>
>>>> # Configure active response for non inline operation. For more
>>>> information, see REAMDE.active
>>>> # config response: eth0 attempts 2
>>>>
>>>> # Configure DAQ related options for inline operation. For more
>>>> information, see README.daq
>>>> #
>>>> # config daq: <type>
>>>> # config daq_dir: <dir>
>>>> # config daq_mode: <mode>
>>>> # config daq_var: <var>
>>>> #
>>>> # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
>>>> # <mode> ::= read-file | passive | inline
>>>> # <var> ::= arbitrary <name>=<value passed to DAQ
>>>> # <dir> ::= path as to where to look for DAQ module so's
>>>>
>>>> # Configure specific UID and GID to run snort as after dropping privs.
>>>> For more information see snort -h command line options
>>>> #
>>>> # config set_gid:
>>>> # config set_uid:
>>>>
>>>> # Configure default snaplen. Snort defaults to MTU of in use interface.
>>>> For more information see README
>>>> #
>>>> # config snaplen:
>>>> #
>>>>
>>>> # Configure default bpf_file to use for filtering what traffic reaches
>>>> snort. For more information see snort -h command line options (-F)
>>>> #
>>>> # config bpf_file:
>>>> #
>>>>
>>>> # Configure default log directory for snort to log to.  For more
>>>> information see snort -h command line options (-l)
>>>> #
>>>> # config logdir:
>>>>
>>>>
>>>> ###################################################
>>>> # Step #3: Configure the base detection engine.  For more information,
>>>> see  README.decode
>>>> ###################################################
>>>>
>>>> # Configure PCRE match limitations
>>>> config pcre_match_limit: 3500
>>>> config pcre_match_limit_recursion: 1500
>>>>
>>>> # Configure the detection engine  See the Snort Manual, Configuring
>>>> Snort - Includes - Config
>>>> config detection: search-method ac-split search-optimize
>>>> max-pattern-len 20
>>>>
>>>> # Configure the event queue.  For more information, see
>>>> README.event_queue
>>>> config event_queue: max_queue 8 log 3 order_events content_length
>>>>
>>>> ###################################################
>>>> ## Configure GTP if it is to be used.
>>>> ## For more information, see README.GTP
>>>> ####################################################
>>>>
>>>> # config enable_gtp
>>>>
>>>> ###################################################
>>>> # Per packet and rule latency enforcement
>>>> # For more information see README.ppm
>>>> ###################################################
>>>>
>>>> # Per Packet latency configuration
>>>> #config ppm: max-pkt-time 250, \
>>>> #   fastpath-expensive-packets, \
>>>> #   pkt-log
>>>>
>>>> # Per Rule latency configuration
>>>> #config ppm: max-rule-time 200, \
>>>> #   threshold 3, \
>>>> #   suspend-expensive-rules, \
>>>> #   suspend-timeout 20, \
>>>> #   rule-log alert
>>>>
>>>> ###################################################
>>>> # Configure Perf Profiling for debugging
>>>> # For more information see README.PerfProfiling
>>>> ###################################################
>>>>
>>>> #config profile_rules: print all, sort avg_ticks
>>>> #config profile_preprocs: print all, sort avg_ticks
>>>>
>>>> ###################################################
>>>> # Configure protocol aware flushing
>>>> # For more information see README.stream5
>>>> ###################################################
>>>> config paf_max: 16000
>>>>
>>>> ###################################################
>>>> # Step #4: Configure dynamic loaded libraries.
>>>> # For more information, see Snort Manual, Configuring Snort - Dynamic
>>>> Modules
>>>> ###################################################
>>>>
>>>> # path to dynamic preprocessor libraries
>>>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>>>
>>>> # path to base preprocessor engine
>>>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>
>>>> # path to dynamic rules libraries
>>>> dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>>>
>>>> ###################################################
>>>> # Step #5: Configure preprocessors
>>>> # For more information, see the Snort Manual, Configuring Snort -
>>>> Preprocessors
>>>> ###################################################
>>>>
>>>> # GTP Control Channle Preprocessor. For more information, see README.GTP
>>>> # preprocessor gtp: ports { 2123 3386 2152 }
>>>>
>>>> # Inline packet normalization. For more information, see
>>>> README.normalize
>>>> # Does nothing in IDS mode
>>>> preprocessor normalize_ip4
>>>> preprocessor normalize_tcp: ips ecn stream
>>>> preprocessor normalize_icmp4
>>>> preprocessor normalize_ip6
>>>> preprocessor normalize_icmp6
>>>>
>>>> # Target-based IP defragmentation.  For more inforation, see
>>>> README.frag3
>>>> preprocessor frag3_global: max_frags 65536
>>>> preprocessor frag3_engine: policy windows detect_anomalies
>>>> overlap_limit 10 min_fragment_length 100 timeout 180
>>>>
>>>> # Target-Based stateful inspection/stream reassembly.  For more
>>>> inforation, see README.stream5
>>>> preprocessor stream5_global: track_tcp yes, \
>>>>    track_udp yes, \
>>>>    track_icmp no, \
>>>>    max_tcp 262144, \
>>>>    max_udp 131072, \
>>>>    max_active_responses 2, \
>>>>    min_response_seconds 5
>>>> preprocessor stream5_tcp: policy windows, detect_anomalies,
>>>> require_3whs 180, \
>>>>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>>>>     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137
>>>> 139 143 \
>>>>         161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666
>>>> 6667 6668 6669 \
>>>>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
>>>> 32779, \
>>>>     ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994
>>>> 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510
>>>> 7802 7777 7779 \
>>>>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911
>>>> 7912 7913 7914 7915 7916 \
>>>>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8088 8118
>>>> 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
>>>> preprocessor stream5_udp: timeout 180
>>>>
>>>> # performance statistics.  For more information, see the Snort Manual,
>>>> Configuring Snort - Preprocessors - Performance Monitor
>>>> preprocessor perfmonitor: time 300 file
>>>> /nsm/sensor_data/onion-desktop-eth0/snort.stats pktcnt 10000
>>>>
>>>> # HTTP normalization and anomaly detection.  For more information, see
>>>> README.http_inspect
>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>> compress_depth 65535 decompress_depth 65535
>>>> preprocessor http_inspect_server: server default \
>>>>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
>>>> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
>>>> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
>>>> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
>>>> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>>>     chunk_length 500000 \
>>>>     server_flow_depth 0 \
>>>>     client_flow_depth 0 \
>>>>     post_depth 65495 \
>>>>     oversize_dir_length 500 \
>>>>     max_header_length 750 \
>>>>     max_headers 100 \
>>>>     max_spaces 0 \
>>>>     small_chunk_length { 10 5 } \
>>>>     ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>>> 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8081 8088
>>>> 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371
>>>> 55555 } \
>>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>>     enable_cookie \
>>>>     extended_response_inspection \
>>>>     inspect_gzip \
>>>>     normalize_utf \
>>>>     unlimited_decompress \
>>>>     normalize_javascript \
>>>>     apache_whitespace no \
>>>>     ascii no \
>>>>     bare_byte no \
>>>>     directory no \
>>>>     double_decode no \
>>>>     iis_backslash no \
>>>>     iis_delimiter no \
>>>>     iis_unicode no \
>>>>     multi_slash no \
>>>>     utf_8 no \
>>>>     u_encode yes \
>>>>     webroot no
>>>>
>>>> # ONC-RPC normalization and anomaly detection.  For more information,
>>>> see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
>>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>>>> 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments
>>>> no_alert_incomplete
>>>>
>>>> # Back Orifice detection.
>>>> preprocessor bo
>>>>
>>>> # FTP / Telnet normalization and anomaly detection.  For more
>>>> information, see README.ftptelnet
>>>> preprocessor ftp_telnet: global inspection_type stateful
>>>> encrypted_traffic no check_encrypted
>>>> preprocessor ftp_telnet_protocol: telnet \
>>>>     ayt_attack_thresh 20 \
>>>>     normalize ports { 23 } \
>>>>     detect_anomalies
>>>> preprocessor ftp_telnet_protocol: ftp server default \
>>>>     def_max_param_len 100 \
>>>>     ports { 21 2100 3535 } \
>>>>     telnet_cmds yes \
>>>>     ignore_telnet_erase_cmds yes \
>>>>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>>>>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>>>>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>>>>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>>>>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>>>>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>>>>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>>>>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>>>>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>>>>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>>>>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD
>>>> QUIT REIN STOU SYST XCUP XPWD } \
>>>>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
>>>> XMKD } \
>>>>     alt_max_param_len 256 { CWD RNTO } \
>>>>     alt_max_param_len 400 { PORT } \
>>>>     alt_max_param_len 512 { SIZE } \
>>>>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>>>>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>>>>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>>>>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>>>>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>>>>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>>>>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>>>>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>>>>     cmd_validity ALLO < int [ char R int ] > \
>>>>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>>>>     cmd_validity MACB < string > \
>>>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>>>     cmd_validity MODE < char ASBCZ > \
>>>>     cmd_validity PORT < host_port > \
>>>>     cmd_validity PROT < char CSEP > \
>>>>     cmd_validity STRU < char FRPO [ string ] > \
>>>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
>>>> number ] } >
>>>> preprocessor ftp_telnet_protocol: ftp client default \
>>>>     max_resp_len 256 \
>>>>     bounce yes \
>>>>     ignore_telnet_erase_cmds yes \
>>>>     telnet_cmds yes
>>>>
>>>>
>>>> # SMTP normalization and anomaly detection.  For more information, see
>>>> README.SMTP
>>>> preprocessor smtp: ports { 25 465 587 691 } \
>>>>     inspection_type stateful \
>>>>     b64_decode_depth 0 \
>>>>     qp_decode_depth 0 \
>>>>     bitenc_decode_depth 0 \
>>>>     uu_decode_depth 0 \
>>>>     log_mailfrom \
>>>>     log_rcptto \
>>>>     log_filename \
>>>>     log_email_hdrs \
>>>>     normalize cmds \
>>>>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
>>>> ESND ESOM ETRN EVFY } \
>>>>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
>>>> RSET SAML SEND SOML } \
>>>>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
>>>> X-DRCP X-ERCP X-EXCH50 } \
>>>>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>>>> XLICENSE XQUE XSTA XTRN XUSR } \
>>>>     max_command_line_len 512 \
>>>>     max_header_line_len 1000 \
>>>>     max_response_line_len 512 \
>>>>     alt_max_command_line_len 260 { MAIL } \
>>>>     alt_max_command_line_len 300 { RCPT } \
>>>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA
>>>> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
>>>> XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>>>>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
>>>> ESOM ETRN EVFY } \
>>>>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
>>>> RSET SAML SEND SOML } \
>>>>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
>>>> X-ERCP X-EXCH50 } \
>>>>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>>>> XLICENSE XQUE XSTA XTRN XUSR } \
>>>>     xlink2state { enabled }
>>>>
>>>> # Portscan detection.  For more information, see README.sfportscan
>>>> # preprocessor sfportscan: proto  { all } memcap { 10000000 }
>>>> sense_level { low }
>>>>
>>>> # ARP spoof detection.  For more information, see the Snort Manual -
>>>> Configuring Snort - Preprocessors - ARP Spoof Preprocessor
>>>> # preprocessor arpspoof
>>>> # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>>>
>>>> # SSH anomaly detection.  For more information, see README.ssh
>>>> preprocessor ssh: server_ports { 22 } \
>>>>                   autodetect \
>>>>                   max_client_bytes 19600 \
>>>>                   max_encrypted_packets 20 \
>>>>                   max_server_version_len 100 \
>>>>                   enable_respoverflow enable_ssh1crc32 \
>>>>                   enable_srvoverflow enable_protomismatch
>>>>
>>>> # SMB / DCE-RPC normalization and anomaly detection.  For more
>>>> information, see README.dcerpc2
>>>> preprocessor dcerpc2: memcap 102400, events [co ]
>>>> preprocessor dcerpc2_server: default, policy WinXP, \
>>>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593],
>>>> \
>>>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>>>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
>>>>
>>>> # DNS anomaly detection.  For more information, see README.dns
>>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>>>
>>>> # SSL anomaly detection and traffic bypass.  For more information, see
>>>> README.ssl
>>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
>>>> 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914
>>>> 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
>>>>
>>>> # SDF sensitive data preprocessor.  For more information see
>>>> README.sensitive_data
>>>> preprocessor sensitive_data: alert_threshold 25
>>>>
>>>> # SIP Session Initiation Protocol preprocessor.  For more information
>>>> see README.sip
>>>> preprocessor sip: max_sessions 40000, \
>>>>    ports { 5060 5061 5600 }, \
>>>>    methods { invite \
>>>>              cancel \
>>>>              ack \
>>>>              bye \
>>>>              register \
>>>>              options \
>>>>              refer \
>>>>              subscribe \
>>>>              update \
>>>>              join \
>>>>              info \
>>>>              message \
>>>>              notify \
>>>>              benotify \
>>>>              do \
>>>>              qauth \
>>>>              sprack \
>>>>              publish \
>>>>              service \
>>>>              unsubscribe \
>>>>              prack }, \
>>>>    max_uri_len 512, \
>>>>    max_call_id_len 80, \
>>>>    max_requestName_len 20, \
>>>>    max_from_len 256, \
>>>>    max_to_len 256, \
>>>>    max_via_len 1024, \
>>>>    max_contact_len 512, \
>>>>    max_content_len 2048
>>>>
>>>> # IMAP preprocessor.  For more information see README.imap
>>>> preprocessor imap: \
>>>>    ports { 143 } \
>>>>    b64_decode_depth 0 \
>>>>    qp_decode_depth 0 \
>>>>    bitenc_decode_depth 0 \
>>>>    uu_decode_depth 0
>>>>
>>>> # POP preprocessor. For more information see README.pop
>>>> preprocessor pop: \
>>>>    ports { 110 } \
>>>>    b64_decode_depth 0 \
>>>>    qp_decode_depth 0 \
>>>>    bitenc_decode_depth 0 \
>>>>    uu_decode_depth 0
>>>>
>>>> # Modbus preprocessor. For more information see README.modbus
>>>> preprocessor modbus: ports { 502 }
>>>>
>>>> # DNP3 preprocessor. For more information see README.dnp3
>>>> preprocessor dnp3: ports { 20000 } \
>>>>    memcap 262144 \
>>>>    check_crc
>>>>
>>>> # Reputation preprocessor. For more information see README.reputation
>>>> preprocessor reputation: \
>>>>    memcap 500, \
>>>>    priority whitelist, \
>>>>    nested_ip inner, \
>>>>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>>>>    blacklist $BLACK_LIST_PATH/black_list.rules
>>>>
>>>> ###################################################
>>>> # Step #6: Configure output plugins
>>>> # For more information, see Snort Manual, Configuring Snort - Output
>>>> Modules
>>>> ###################################################
>>>>
>>>> # unified2
>>>> # Recommended for most installs
>>>> output unified2: filename snort.unified2, limit 128
>>>>
>>>> include /etc/nsm/CSIS/fifo.output
>>>>
>>>> # Additional configuration for specific types of installs
>>>> # output alert_unified2: filename snort.alert, limit 128, nostamp
>>>> # output log_unified2: filename snort.log, limit 128, nostamp
>>>>
>>>> # syslog
>>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>>>
>>>> # pcap
>>>> # output log_tcpdump: tcpdump.log
>>>>
>>>> # database
>>>> # output database: alert, <db_type>, user=<username>
>>>> password=<password> test dbname=<name> host=<hostname>
>>>> # output database: log, <db_type>, user=<username> password=<password>
>>>> test dbname=<name> host=<hostname>
>>>>
>>>> # prelude
>>>> # output alert_prelude
>>>>
>>>> # metadata reference data.  do not modify these lines
>>>> include classification.config
>>>> include reference.config
>>>>
>>>>
>>>> ###################################################
>>>> # Step #7: Customize your rule set
>>>> # For more information, see Snort Manual, Writing Snort Rules
>>>> #
>>>> # NOTE: All categories are enabled in this conf file
>>>> ###################################################
>>>>
>>>> # site specific rules
>>>> include $RULE_PATH/local.rules
>>>>
>>>> include $RULE_PATH/specificationBased.rules
>>>>
>>>> # rules downloaded by PulledPork
>>>> include $RULE_PATH/downloaded.rules
>>>>
>>>> ###################################################
>>>> # Step #8: Customize your preprocessor and decoder alerts
>>>> # For more information, see README.decoder_preproc_rules
>>>> ###################################################
>>>>
>>>> # decoder and preprocessor event rules
>>>> # include $PREPROC_RULE_PATH/preprocessor.rules
>>>> # include $PREPROC_RULE_PATH/decoder.rules
>>>> # include $PREPROC_RULE_PATH/sensitive-data.rules
>>>>
>>>> ###################################################
>>>> # Step #9: Customize your Shared Object Snort Rules
>>>> # For more information, see
>>>> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
>>>> ###################################################
>>>>
>>>> # dynamic library rules
>>>> include $SO_RULE_PATH/so_rules.rules
>>>>
>>>> # Event thresholding or suppression commands. See threshold.conf
>>>> include threshold.conf
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Don't let slow site performance ruin your business. Deploy New Relic APM
>>>> Deploy New Relic app performance management and know exactly
>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>>>> http://p.sf.net/sfu/newrelic-dev2dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>
> <StatusUpdateSequence3.pcap>
> ------------------------------------------------------------------------------
>
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>
> http://p.sf.net/sfu/newrelic-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121010/58909e7c/attachment.html>


More information about the Snort-users mailing list