[Snort-users] HTTP reassembly problem

Russ Combs rcombs at ...1935...
Wed Oct 10 12:28:44 EDT 2012


Make sure that you have port 8081 configured in both stream5_tcp and
http_inspect.  You will need something like this for stream5:

ports both 8081 ...
or
ports client 8081 ...

Then, as was mentioned earlier, -A cmg will indicate "Stream reassembled
packet" if you actually alert on such a packet.  The following update to
your rule would ensure that:

alert tcp any any -> 192.168.8.177 any (msg:"Action type 50"; sid:1000050;
content:"|3c 78 73 64 |"; content:"</soapenv:Envelope>";)

You can also add show_rebuilt_packets to stream5_global and use with -A cmg
to see reassembled packets so you know how to tweak your rule.

Hope that helps.
Russ

On Wed, Oct 10, 2012 at 11:55 AM, João Lima <
joao.pedro.paulino.lima at ...11827...> wrote:

> That would not be a problem for me since I have some flexibility to
> support that. But as I said in the response to Joel, I'm not getting any
> reassembled packet by any mean, neither am I receiving more than one packet
> to the same event.
>
> Looking at the pcap that I sent with what I want to detect, I'm only
> receiving the content of packet 4 and never receiving packet 5.
>
> João Lima
>
>
> 2012/10/10 Jason Brvenik <jasonb at ...1935...>
>
>> The member packets will be in the unified2 file, not the psuedo
>> packet. The tool you are using needs to support multiple packets per
>> event in order for you to see them. If you use the u2boat tool in the
>> tools/u2boat directory it will generate a pcap for that unified file
>> that can be seen in wireshark.
>>
>> On Wed, Oct 10, 2012 at 11:13 AM, João Lima
>> <joao.pedro.paulino.lima at ...11827...> wrote:
>> > No, I never said that. For me is alerting perfectly also.
>> >
>> > My problem is that I want it to alert in the reassembled packet
>> resulting
>> > from stream5/http_inspect/paf.
>> >
>> > In the end, what I want is to receive an unified2Packet with the
>> complete
>> > HTTP POST and not only part of the HTTP POST.
>> >
>> > Is it possible anyway??
>> >
>> > Best regards,
>> >
>> > João Lima
>> >
>> >
>> > 2012/10/10 Joel Esler <jesler at ...1935...>
>> >>
>> >> Are you saying it's not alerting?
>> >>
>> >> It's working for me perfectly.  Make sure you are using the snort.conf
>> >> from the VRT, current versions are here:
>> >>
>> >> http://www.snort.org/vrt/snort-conf-configurations/
>> >>
>> >> That's what I am testing against.
>> >>
>> >>
>> >> On Oct 10, 2012, at 4:52 AM, João Lima <
>> joao.pedro.paulino.lima at ...11827...>
>> >> wrote:
>> >>
>> >> Yes I can.
>> >>
>> >> alert tcp any any -> 192.168.8.177 8081 (msg:"action type 50";
>> >> sid:1000050; content:"|3c 78 73 64 3a 53 74 61 74 75 73 55 70 64 61 74
>> 65
>> >> 3e|";)
>> >>
>> >> Sorry. Should have sent the complete rule the first time.
>> >>
>> >> Best regards,
>> >>
>> >> João Lima
>> >>
>> >> 2012/10/9 Joel Esler <jesler at ...1935...>
>> >>>
>> >>> I see the pcap, but I don't see a complete rule to test with.
>> >>>
>> >>> Can you provide that?
>> >>>
>> >>>
>> >>> On Oct 9, 2012, at 5:19 PM, João Lima <
>> joao.pedro.paulino.lima at ...11827...>
>> >>> wrote:
>> >>>
>> >>> Hello,
>> >>>
>> >>> Does anyone can help me with this issue??
>> >>>
>> >>> Best regards,
>> >>>
>> >>> João Pedro Lima
>> >>>
>> >>> 2012/10/9 João Lima <joao.pedro.paulino.lima at ...11827...>
>> >>>>
>> >>>> Sure,
>> >>>>
>> >>>> The pcap contains the complete HTTP session of the request. What I
>> >>>> expect to obtain is packet 4 and 5 in just one "pseudo-packet" that
>> >>>> represent the complete HTTP request.
>> >>>>
>> >>>> Best regards,
>> >>>>
>> >>>> João Pedro Lima
>> >>>>
>> >>>>
>> >>>> 2012/10/9 Russ Combs <rcombs at ...1935...>
>> >>>>>
>> >>>>> Can you send a pcap?
>> >>>>>
>> >>>>> On Tue, Oct 9, 2012 at 10:29 AM, João Lima
>> >>>>> <joao.pedro.paulino.lima at ...11827...> wrote:
>> >>>>>>
>> >>>>>> Hello,
>> >>>>>>
>> >>>>>> I'm having a little problem with the reassembly of HTTP PDUs...
>> >>>>>>
>> >>>>>> My scenario is the following: I have one HTTP POST that is spread
>> >>>>>> across  two TCP packets... What I'm trying to do is to find one
>> message an
>> >>>>>> alert when it is found in order to be able to process it in a
>> custom
>> >>>>>> system...
>> >>>>>>
>> >>>>>> However, I've already tried almost every configuration of stream5
>> and
>> >>>>>> http_inspect, and I'm only able to retrieve the first packet of
>> the two that
>> >>>>>> compose the HTTP POST... All the documentation says it is possible
>> that
>> >>>>>> Snort is able to reassemble  packets, but I've found no
>> information about
>> >>>>>> its ability to return the send a unified2Packet with the
>> reassembled
>> >>>>>> packet...
>> >>>>>>
>> >>>>>> The HTTP server is running on port 8081...
>> >>>>>>
>> >>>>>> Can you tell me if I'm missing something either on the snort
>> >>>>>> configuration or in the detection rule??
>> >>>>>>
>> >>>>>> Rule used to detect the packet:
>> >>>>>>
>> >>>>>> "alert tcp any any -> 192.168.8.177 any (msg:"Action type 50";
>> >>>>>> sid:1000050; content:"|3c 78 73 64 .......|";)"
>> >>>>>>
>> >>>>>> My snort.conf is below:
>> >>>>>>
>> >>>>>> # Setup the network addresses you are protecting
>> >>>>>> ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
>> >>>>>>
>> >>>>>> # Set up the external network addresses. Leave as "any" in most
>> >>>>>> situations
>> >>>>>> ipvar EXTERNAL_NET any
>> >>>>>>
>> >>>>>> # List of DNS servers on your network
>> >>>>>> ipvar DNS_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of SMTP servers on your network
>> >>>>>> ipvar SMTP_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of web servers on your network
>> >>>>>> ipvar HTTP_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of sql servers on your network
>> >>>>>> ipvar SQL_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of telnet servers on your network
>> >>>>>> ipvar TELNET_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of ssh servers on your network
>> >>>>>> ipvar SSH_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of ftp servers on your network
>> >>>>>> ipvar FTP_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of sip servers on your network
>> >>>>>> ipvar SIP_SERVERS $HOME_NET
>> >>>>>>
>> >>>>>> # List of ports you run web servers on
>> >>>>>> portvar HTTP_PORTS
>> >>>>>>
>> [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]
>> >>>>>>
>> >>>>>> # List of ports you want to look for SHELLCODE on.
>> >>>>>> portvar SHELLCODE_PORTS !80
>> >>>>>>
>> >>>>>> # List of ports you might see oracle attacks on
>> >>>>>> portvar ORACLE_PORTS 1024:
>> >>>>>>
>> >>>>>> # List of ports you want to look for SSH connections on:
>> >>>>>> portvar SSH_PORTS 22
>> >>>>>>
>> >>>>>> # List of ports you run ftp servers on
>> >>>>>> portvar FTP_PORTS [21,2100,3535]
>> >>>>>>
>> >>>>>> # List of ports you run SIP servers on
>> >>>>>> portvar SIP_PORTS [5060,5061,5600]
>> >>>>>>
>> >>>>>> # List of file data ports for file inspection
>> >>>>>> portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>> >>>>>>
>> >>>>>> # List of GTP ports for GTP preprocessor
>> >>>>>> portvar GTP_PORTS [2123,2152,3386]
>> >>>>>>
>> >>>>>> # other variables, these should not be modified
>> >>>>>> ipvar AIM_SERVERS
>> >>>>>> [
>> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>> ]
>> >>>>>>
>> >>>>>> include /etc/nsm/CSIS/local.variables
>> >>>>>>
>> >>>>>> # Path to your rules files (this can be a relative path)
>> >>>>>> # Note for Windows users:  You are advised to make this an absolute
>> >>>>>> path,
>> >>>>>> # such as:  c:\snort\rules
>> >>>>>> var RULE_PATH /etc/nsm/rules
>> >>>>>> var SO_RULE_PATH /etc/nsm/rules
>> >>>>>> var PREPROC_RULE_PATH /etc/nsm/preproc_rules
>> >>>>>>
>> >>>>>> # If you are using reputation preprocessor set these
>> >>>>>> # Currently there is a bug with relative paths, they are relative
>> to
>> >>>>>> where snort is
>> >>>>>> # not relative to snort.conf like the above variables
>> >>>>>> # This is completely inconsistent with how other vars work, BUG
>> 89986
>> >>>>>> # Set the absolute path appropriately
>> >>>>>> var WHITE_LIST_PATH /etc/nsm/rules
>> >>>>>> var BLACK_LIST_PATH /etc/nsm/rules
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #2: Configure the decoder.  For more information, see
>> >>>>>> README.decode
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # Stop generic decode events:
>> >>>>>> config disable_decode_alerts
>> >>>>>>
>> >>>>>> # Stop Alerts on experimental TCP options
>> >>>>>> config disable_tcpopt_experimental_alerts
>> >>>>>>
>> >>>>>> # Stop Alerts on obsolete TCP options
>> >>>>>> config disable_tcpopt_obsolete_alerts
>> >>>>>>
>> >>>>>> # Stop Alerts on T/TCP alerts
>> >>>>>> config disable_tcpopt_ttcp_alerts
>> >>>>>>
>> >>>>>> # Stop Alerts on all other TCPOption type events:
>> >>>>>> config disable_tcpopt_alerts
>> >>>>>>
>> >>>>>> # Stop Alerts on invalid ip options
>> >>>>>> config disable_ipopt_alerts
>> >>>>>>
>> >>>>>> # Alert if value in length field (IP, TCP, UDP) is greater th
>> elength
>> >>>>>> of the packet
>> >>>>>> # config enable_decode_oversized_alerts
>> >>>>>>
>> >>>>>> # Same as above, but drop packet if in Inline mode (requires
>> >>>>>> enable_decode_oversized_alerts)
>> >>>>>> # config enable_decode_oversized_drops
>> >>>>>>
>> >>>>>> # Configure IP / TCP checksum mode
>> >>>>>> config checksum_mode: all
>> >>>>>>
>> >>>>>> # Configure maximum number of flowbit references.  For more
>> >>>>>> information, see README.flowbits
>> >>>>>> # config flowbits_size: 64
>> >>>>>>
>> >>>>>> # Configure ports to ignore
>> >>>>>> # config ignore_ports: tcp 21 6667:6671 1356
>> >>>>>> # config ignore_ports: udp 1:17 53
>> >>>>>>
>> >>>>>> # Configure active response for non inline operation. For more
>> >>>>>> information, see REAMDE.active
>> >>>>>> # config response: eth0 attempts 2
>> >>>>>>
>> >>>>>> # Configure DAQ related options for inline operation. For more
>> >>>>>> information, see README.daq
>> >>>>>> #
>> >>>>>> # config daq: <type>
>> >>>>>> # config daq_dir: <dir>
>> >>>>>> # config daq_mode: <mode>
>> >>>>>> # config daq_var: <var>
>> >>>>>> #
>> >>>>>> # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
>> >>>>>> # <mode> ::= read-file | passive | inline
>> >>>>>> # <var> ::= arbitrary <name>=<value passed to DAQ
>> >>>>>> # <dir> ::= path as to where to look for DAQ module so's
>> >>>>>>
>> >>>>>> # Configure specific UID and GID to run snort as after dropping
>> privs.
>> >>>>>> For more information see snort -h command line options
>> >>>>>> #
>> >>>>>> # config set_gid:
>> >>>>>> # config set_uid:
>> >>>>>>
>> >>>>>> # Configure default snaplen. Snort defaults to MTU of in use
>> >>>>>> interface. For more information see README
>> >>>>>> #
>> >>>>>> # config snaplen:
>> >>>>>> #
>> >>>>>>
>> >>>>>> # Configure default bpf_file to use for filtering what traffic
>> reaches
>> >>>>>> snort. For more information see snort -h command line options (-F)
>> >>>>>> #
>> >>>>>> # config bpf_file:
>> >>>>>> #
>> >>>>>>
>> >>>>>> # Configure default log directory for snort to log to.  For more
>> >>>>>> information see snort -h command line options (-l)
>> >>>>>> #
>> >>>>>> # config logdir:
>> >>>>>>
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #3: Configure the base detection engine.  For more
>> information,
>> >>>>>> see  README.decode
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # Configure PCRE match limitations
>> >>>>>> config pcre_match_limit: 3500
>> >>>>>> config pcre_match_limit_recursion: 1500
>> >>>>>>
>> >>>>>> # Configure the detection engine  See the Snort Manual, Configuring
>> >>>>>> Snort - Includes - Config
>> >>>>>> config detection: search-method ac-split search-optimize
>> >>>>>> max-pattern-len 20
>> >>>>>>
>> >>>>>> # Configure the event queue.  For more information, see
>> >>>>>> README.event_queue
>> >>>>>> config event_queue: max_queue 8 log 3 order_events content_length
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> ## Configure GTP if it is to be used.
>> >>>>>> ## For more information, see README.GTP
>> >>>>>> ####################################################
>> >>>>>>
>> >>>>>> # config enable_gtp
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Per packet and rule latency enforcement
>> >>>>>> # For more information see README.ppm
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # Per Packet latency configuration
>> >>>>>> #config ppm: max-pkt-time 250, \
>> >>>>>> #   fastpath-expensive-packets, \
>> >>>>>> #   pkt-log
>> >>>>>>
>> >>>>>> # Per Rule latency configuration
>> >>>>>> #config ppm: max-rule-time 200, \
>> >>>>>> #   threshold 3, \
>> >>>>>> #   suspend-expensive-rules, \
>> >>>>>> #   suspend-timeout 20, \
>> >>>>>> #   rule-log alert
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Configure Perf Profiling for debugging
>> >>>>>> # For more information see README.PerfProfiling
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> #config profile_rules: print all, sort avg_ticks
>> >>>>>> #config profile_preprocs: print all, sort avg_ticks
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Configure protocol aware flushing
>> >>>>>> # For more information see README.stream5
>> >>>>>> ###################################################
>> >>>>>> config paf_max: 16000
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #4: Configure dynamic loaded libraries.
>> >>>>>> # For more information, see Snort Manual, Configuring Snort -
>> Dynamic
>> >>>>>> Modules
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # path to dynamic preprocessor libraries
>> >>>>>> dynamicpreprocessor directory
>> >>>>>> /usr/local/lib/snort_dynamicpreprocessor/
>> >>>>>>
>> >>>>>> # path to base preprocessor engine
>> >>>>>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>> >>>>>>
>> >>>>>> # path to dynamic rules libraries
>> >>>>>> dynamicdetection directory /usr/local/lib/snort_dynamicrules
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #5: Configure preprocessors
>> >>>>>> # For more information, see the Snort Manual, Configuring Snort -
>> >>>>>> Preprocessors
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # GTP Control Channle Preprocessor. For more information, see
>> >>>>>> README.GTP
>> >>>>>> # preprocessor gtp: ports { 2123 3386 2152 }
>> >>>>>>
>> >>>>>> # Inline packet normalization. For more information, see
>> >>>>>> README.normalize
>> >>>>>> # Does nothing in IDS mode
>> >>>>>> preprocessor normalize_ip4
>> >>>>>> preprocessor normalize_tcp: ips ecn stream
>> >>>>>> preprocessor normalize_icmp4
>> >>>>>> preprocessor normalize_ip6
>> >>>>>> preprocessor normalize_icmp6
>> >>>>>>
>> >>>>>> # Target-based IP defragmentation.  For more inforation, see
>> >>>>>> README.frag3
>> >>>>>> preprocessor frag3_global: max_frags 65536
>> >>>>>> preprocessor frag3_engine: policy windows detect_anomalies
>> >>>>>> overlap_limit 10 min_fragment_length 100 timeout 180
>> >>>>>>
>> >>>>>> # Target-Based stateful inspection/stream reassembly.  For more
>> >>>>>> inforation, see README.stream5
>> >>>>>> preprocessor stream5_global: track_tcp yes, \
>> >>>>>>    track_udp yes, \
>> >>>>>>    track_icmp no, \
>> >>>>>>    max_tcp 262144, \
>> >>>>>>    max_udp 131072, \
>> >>>>>>    max_active_responses 2, \
>> >>>>>>    min_response_seconds 5
>> >>>>>> preprocessor stream5_tcp: policy windows, detect_anomalies,
>> >>>>>> require_3whs 180, \
>> >>>>>>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>> >>>>>>     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136
>> 137
>> >>>>>> 139 143 \
>> >>>>>>         161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665
>> 6666
>> >>>>>> 6667 6668 6669 \
>> >>>>>>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777
>> >>>>>> 32778 32779, \
>> >>>>>>     ports both 80 81 311 443 465 563 591 593 636 901 989 992 993
>> 994
>> >>>>>> 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001
>> 7145 7510
>> >>>>>> 7802 7777 7779 \
>> >>>>>>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911
>> >>>>>> 7912 7913 7914 7915 7916 \
>> >>>>>>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8088 8118
>> >>>>>> 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371
>> 55555
>> >>>>>> preprocessor stream5_udp: timeout 180
>> >>>>>>
>> >>>>>> # performance statistics.  For more information, see the Snort
>> Manual,
>> >>>>>> Configuring Snort - Preprocessors - Performance Monitor
>> >>>>>> preprocessor perfmonitor: time 300 file
>> >>>>>> /nsm/sensor_data/onion-desktop-eth0/snort.stats pktcnt 10000
>> >>>>>>
>> >>>>>> # HTTP normalization and anomaly detection.  For more information,
>> see
>> >>>>>> README.http_inspect
>> >>>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> >>>>>> compress_depth 65535 decompress_depth 65535
>> >>>>>> preprocessor http_inspect_server: server default \
>> >>>>>>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
>> >>>>>> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE
>> TRACE TRACK
>> >>>>>> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
>> BPROPPATCH
>> >>>>>> RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
>> >>>>>> RPC_OUT_DATA RPC_ECHO_DATA } \
>> >>>>>>     chunk_length 500000 \
>> >>>>>>     server_flow_depth 0 \
>> >>>>>>     client_flow_depth 0 \
>> >>>>>>     post_depth 65495 \
>> >>>>>>     oversize_dir_length 500 \
>> >>>>>>     max_header_length 750 \
>> >>>>>>     max_headers 100 \
>> >>>>>>     max_spaces 0 \
>> >>>>>>     small_chunk_length { 10 5 } \
>> >>>>>>     ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809
>> 3128
>> >>>>>> 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080
>> 8081 8088
>> >>>>>> 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443
>> 9999 11371
>> >>>>>> 55555 } \
>> >>>>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>> >>>>>>     enable_cookie \
>> >>>>>>     extended_response_inspection \
>> >>>>>>     inspect_gzip \
>> >>>>>>     normalize_utf \
>> >>>>>>     unlimited_decompress \
>> >>>>>>     normalize_javascript \
>> >>>>>>     apache_whitespace no \
>> >>>>>>     ascii no \
>> >>>>>>     bare_byte no \
>> >>>>>>     directory no \
>> >>>>>>     double_decode no \
>> >>>>>>     iis_backslash no \
>> >>>>>>     iis_delimiter no \
>> >>>>>>     iis_unicode no \
>> >>>>>>     multi_slash no \
>> >>>>>>     utf_8 no \
>> >>>>>>     u_encode yes \
>> >>>>>>     webroot no
>> >>>>>>
>> >>>>>> # ONC-RPC normalization and anomaly detection.  For more
>> information,
>> >>>>>> see the Snort Manual, Configuring Snort - Preprocessors - RPC
>> Decode
>> >>>>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775
>> 32776
>> >>>>>> 32777 32778 32779 no_alert_multiple_requests
>> no_alert_large_fragments
>> >>>>>> no_alert_incomplete
>> >>>>>>
>> >>>>>> # Back Orifice detection.
>> >>>>>> preprocessor bo
>> >>>>>>
>> >>>>>> # FTP / Telnet normalization and anomaly detection.  For more
>> >>>>>> information, see README.ftptelnet
>> >>>>>> preprocessor ftp_telnet: global inspection_type stateful
>> >>>>>> encrypted_traffic no check_encrypted
>> >>>>>> preprocessor ftp_telnet_protocol: telnet \
>> >>>>>>     ayt_attack_thresh 20 \
>> >>>>>>     normalize ports { 23 } \
>> >>>>>>     detect_anomalies
>> >>>>>> preprocessor ftp_telnet_protocol: ftp server default \
>> >>>>>>     def_max_param_len 100 \
>> >>>>>>     ports { 21 2100 3535 } \
>> >>>>>>     telnet_cmds yes \
>> >>>>>>     ignore_telnet_erase_cmds yes \
>> >>>>>>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>> >>>>>>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>> >>>>>>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>> >>>>>>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>> >>>>>>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>> >>>>>>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>> >>>>>>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>> >>>>>>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>> >>>>>>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>> >>>>>>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>> >>>>>>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV
>> PWD
>> >>>>>> QUIT REIN STOU SYST XCUP XPWD } \
>> >>>>>>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR
>> >>>>>> STOU XMKD } \
>> >>>>>>     alt_max_param_len 256 { CWD RNTO } \
>> >>>>>>     alt_max_param_len 400 { PORT } \
>> >>>>>>     alt_max_param_len 512 { SIZE } \
>> >>>>>>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>> >>>>>>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>> >>>>>>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>> >>>>>>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>> >>>>>>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>> >>>>>>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>> >>>>>>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>> >>>>>>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>> >>>>>>     cmd_validity ALLO < int [ char R int ] > \
>> >>>>>>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>> >>>>>>     cmd_validity MACB < string > \
>> >>>>>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >
>> \
>> >>>>>>     cmd_validity MODE < char ASBCZ > \
>> >>>>>>     cmd_validity PORT < host_port > \
>> >>>>>>     cmd_validity PROT < char CSEP > \
>> >>>>>>     cmd_validity STRU < char FRPO [ string ] > \
>> >>>>>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
>> >>>>>> number ] } >
>> >>>>>> preprocessor ftp_telnet_protocol: ftp client default \
>> >>>>>>     max_resp_len 256 \
>> >>>>>>     bounce yes \
>> >>>>>>     ignore_telnet_erase_cmds yes \
>> >>>>>>     telnet_cmds yes
>> >>>>>>
>> >>>>>>
>> >>>>>> # SMTP normalization and anomaly detection.  For more information,
>> see
>> >>>>>> README.SMTP
>> >>>>>> preprocessor smtp: ports { 25 465 587 691 } \
>> >>>>>>     inspection_type stateful \
>> >>>>>>     b64_decode_depth 0 \
>> >>>>>>     qp_decode_depth 0 \
>> >>>>>>     bitenc_decode_depth 0 \
>> >>>>>>     uu_decode_depth 0 \
>> >>>>>>     log_mailfrom \
>> >>>>>>     log_rcptto \
>> >>>>>>     log_filename \
>> >>>>>>     log_email_hdrs \
>> >>>>>>     normalize cmds \
>> >>>>>>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL
>> ESAM
>> >>>>>> ESND ESOM ETRN EVFY } \
>> >>>>>>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT
>> >>>>>> RCPT RSET SAML SEND SOML } \
>> >>>>>>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY
>> X-ADAT
>> >>>>>> X-DRCP X-ERCP X-EXCH50 } \
>> >>>>>>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50
>> XGEN
>> >>>>>> XLICENSE XQUE XSTA XTRN XUSR } \
>> >>>>>>     max_command_line_len 512 \
>> >>>>>>     max_header_line_len 1000 \
>> >>>>>>     max_response_line_len 512 \
>> >>>>>>     alt_max_command_line_len 260 { MAIL } \
>> >>>>>>     alt_max_command_line_len 300 { RCPT } \
>> >>>>>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>> >>>>>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG
>> EMAL
>> >>>>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>> >>>>>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
>> DATA
>> >>>>>> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS
>> X-LINK2STATE XADR
>> >>>>>> XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>> >>>>>>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
>> >>>>>> ESND ESOM ETRN EVFY } \
>> >>>>>>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
>> >>>>>> RSET SAML SEND SOML } \
>> >>>>>>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
>> >>>>>> X-DRCP X-ERCP X-EXCH50 } \
>> >>>>>>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>> >>>>>> XLICENSE XQUE XSTA XTRN XUSR } \
>> >>>>>>     xlink2state { enabled }
>> >>>>>>
>> >>>>>> # Portscan detection.  For more information, see README.sfportscan
>> >>>>>> # preprocessor sfportscan: proto  { all } memcap { 10000000 }
>> >>>>>> sense_level { low }
>> >>>>>>
>> >>>>>> # ARP spoof detection.  For more information, see the Snort Manual
>> -
>> >>>>>> Configuring Snort - Preprocessors - ARP Spoof Preprocessor
>> >>>>>> # preprocessor arpspoof
>> >>>>>> # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>> >>>>>>
>> >>>>>> # SSH anomaly detection.  For more information, see README.ssh
>> >>>>>> preprocessor ssh: server_ports { 22 } \
>> >>>>>>                   autodetect \
>> >>>>>>                   max_client_bytes 19600 \
>> >>>>>>                   max_encrypted_packets 20 \
>> >>>>>>                   max_server_version_len 100 \
>> >>>>>>                   enable_respoverflow enable_ssh1crc32 \
>> >>>>>>                   enable_srvoverflow enable_protomismatch
>> >>>>>>
>> >>>>>> # SMB / DCE-RPC normalization and anomaly detection.  For more
>> >>>>>> information, see README.dcerpc2
>> >>>>>> preprocessor dcerpc2: memcap 102400, events [co ]
>> >>>>>> preprocessor dcerpc2_server: default, policy WinXP, \
>> >>>>>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server
>> >>>>>> 593], \
>> >>>>>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:],
>> \
>> >>>>>>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
>> >>>>>>
>> >>>>>> # DNS anomaly detection.  For more information, see README.dns
>> >>>>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>> >>>>>>
>> >>>>>> # SSL anomaly detection and traffic bypass.  For more information,
>> see
>> >>>>>> README.ssl
>> >>>>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
>> >>>>>> 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911
>> 7912 7913
>> >>>>>> 7914 7915 7916 7917 7918 7919 7920 }, trustservers,
>> noinspect_encrypted
>> >>>>>>
>> >>>>>> # SDF sensitive data preprocessor.  For more information see
>> >>>>>> README.sensitive_data
>> >>>>>> preprocessor sensitive_data: alert_threshold 25
>> >>>>>>
>> >>>>>> # SIP Session Initiation Protocol preprocessor.  For more
>> information
>> >>>>>> see README.sip
>> >>>>>> preprocessor sip: max_sessions 40000, \
>> >>>>>>    ports { 5060 5061 5600 }, \
>> >>>>>>    methods { invite \
>> >>>>>>              cancel \
>> >>>>>>              ack \
>> >>>>>>              bye \
>> >>>>>>              register \
>> >>>>>>              options \
>> >>>>>>              refer \
>> >>>>>>              subscribe \
>> >>>>>>              update \
>> >>>>>>              join \
>> >>>>>>              info \
>> >>>>>>              message \
>> >>>>>>              notify \
>> >>>>>>              benotify \
>> >>>>>>              do \
>> >>>>>>              qauth \
>> >>>>>>              sprack \
>> >>>>>>              publish \
>> >>>>>>              service \
>> >>>>>>              unsubscribe \
>> >>>>>>              prack }, \
>> >>>>>>    max_uri_len 512, \
>> >>>>>>    max_call_id_len 80, \
>> >>>>>>    max_requestName_len 20, \
>> >>>>>>    max_from_len 256, \
>> >>>>>>    max_to_len 256, \
>> >>>>>>    max_via_len 1024, \
>> >>>>>>    max_contact_len 512, \
>> >>>>>>    max_content_len 2048
>> >>>>>>
>> >>>>>> # IMAP preprocessor.  For more information see README.imap
>> >>>>>> preprocessor imap: \
>> >>>>>>    ports { 143 } \
>> >>>>>>    b64_decode_depth 0 \
>> >>>>>>    qp_decode_depth 0 \
>> >>>>>>    bitenc_decode_depth 0 \
>> >>>>>>    uu_decode_depth 0
>> >>>>>>
>> >>>>>> # POP preprocessor. For more information see README.pop
>> >>>>>> preprocessor pop: \
>> >>>>>>    ports { 110 } \
>> >>>>>>    b64_decode_depth 0 \
>> >>>>>>    qp_decode_depth 0 \
>> >>>>>>    bitenc_decode_depth 0 \
>> >>>>>>    uu_decode_depth 0
>> >>>>>>
>> >>>>>> # Modbus preprocessor. For more information see README.modbus
>> >>>>>> preprocessor modbus: ports { 502 }
>> >>>>>>
>> >>>>>> # DNP3 preprocessor. For more information see README.dnp3
>> >>>>>> preprocessor dnp3: ports { 20000 } \
>> >>>>>>    memcap 262144 \
>> >>>>>>    check_crc
>> >>>>>>
>> >>>>>> # Reputation preprocessor. For more information see
>> README.reputation
>> >>>>>> preprocessor reputation: \
>> >>>>>>    memcap 500, \
>> >>>>>>    priority whitelist, \
>> >>>>>>    nested_ip inner, \
>> >>>>>>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>> >>>>>>    blacklist $BLACK_LIST_PATH/black_list.rules
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #6: Configure output plugins
>> >>>>>> # For more information, see Snort Manual, Configuring Snort -
>> Output
>> >>>>>> Modules
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # unified2
>> >>>>>> # Recommended for most installs
>> >>>>>> output unified2: filename snort.unified2, limit 128
>> >>>>>>
>> >>>>>> include /etc/nsm/CSIS/fifo.output
>> >>>>>>
>> >>>>>> # Additional configuration for specific types of installs
>> >>>>>> # output alert_unified2: filename snort.alert, limit 128, nostamp
>> >>>>>> # output log_unified2: filename snort.log, limit 128, nostamp
>> >>>>>>
>> >>>>>> # syslog
>> >>>>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>> >>>>>>
>> >>>>>> # pcap
>> >>>>>> # output log_tcpdump: tcpdump.log
>> >>>>>>
>> >>>>>> # database
>> >>>>>> # output database: alert, <db_type>, user=<username>
>> >>>>>> password=<password> test dbname=<name> host=<hostname>
>> >>>>>> # output database: log, <db_type>, user=<username>
>> password=<password>
>> >>>>>> test dbname=<name> host=<hostname>
>> >>>>>>
>> >>>>>> # prelude
>> >>>>>> # output alert_prelude
>> >>>>>>
>> >>>>>> # metadata reference data.  do not modify these lines
>> >>>>>> include classification.config
>> >>>>>> include reference.config
>> >>>>>>
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #7: Customize your rule set
>> >>>>>> # For more information, see Snort Manual, Writing Snort Rules
>> >>>>>> #
>> >>>>>> # NOTE: All categories are enabled in this conf file
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # site specific rules
>> >>>>>> include $RULE_PATH/local.rules
>> >>>>>>
>> >>>>>> include $RULE_PATH/specificationBased.rules
>> >>>>>>
>> >>>>>> # rules downloaded by PulledPork
>> >>>>>> include $RULE_PATH/downloaded.rules
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #8: Customize your preprocessor and decoder alerts
>> >>>>>> # For more information, see README.decoder_preproc_rules
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # decoder and preprocessor event rules
>> >>>>>> # include $PREPROC_RULE_PATH/preprocessor.rules
>> >>>>>> # include $PREPROC_RULE_PATH/decoder.rules
>> >>>>>> # include $PREPROC_RULE_PATH/sensitive-data.rules
>> >>>>>>
>> >>>>>> ###################################################
>> >>>>>> # Step #9: Customize your Shared Object Snort Rules
>> >>>>>> # For more information, see
>> >>>>>>
>> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
>> >>>>>> ###################################################
>> >>>>>>
>> >>>>>> # dynamic library rules
>> >>>>>> include $SO_RULE_PATH/so_rules.rules
>> >>>>>>
>> >>>>>> # Event thresholding or suppression commands. See threshold.conf
>> >>>>>> include threshold.conf
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> ------------------------------------------------------------------------------
>> >>>>>> Don't let slow site performance ruin your business. Deploy New
>> Relic
>> >>>>>> APM
>> >>>>>> Deploy New Relic app performance management and know exactly
>> >>>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>> >>>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt
>> too!
>> >>>>>> http://p.sf.net/sfu/newrelic-dev2dev
>> >>>>>> _______________________________________________
>> >>>>>> Snort-users mailing list
>> >>>>>> Snort-users at lists.sourceforge.net
>> >>>>>> Go to this URL to change user options or unsubscribe:
>> >>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>>>>> Snort-users list archive:
>> >>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>>>>>
>> >>>>>> Please visit http://blog.snort.org to stay current on all the
>> latest
>> >>>>>> Snort news!
>> >>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> <StatusUpdateSequence3.pcap>------------------------------------------------------------------------------
>> >>>
>> >>> Don't let slow site performance ruin your business. Deploy New Relic
>> APM
>> >>> Deploy New Relic app performance management and know exactly
>> >>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>> >>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>> >>>
>> >>>
>> http://p.sf.net/sfu/newrelic-dev2dev_______________________________________________
>> >>> Snort-users mailing list
>> >>> Snort-users at lists.sourceforge.net
>> >>> Go to this URL to change user options or unsubscribe:
>> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>> Snort-users list archive:
>> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>>
>> >>> Please visit http://blog.snort.org to stay current on all the latest
>> >>> Snort news!
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Don't let slow site performance ruin your business. Deploy New Relic APM
>> > Deploy New Relic app performance management and know exactly
>> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
>> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>> > http://p.sf.net/sfu/newrelic-dev2dev
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>>
>>
>>
>> --
>> Regards,
>>
>> Jason.
>>
>
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121010/49ec0fb1/attachment.html>


More information about the Snort-users mailing list