[Snort-users] Snort could log attack but logfile remains empty.

beenph beenph at ...11827...
Mon May 26 18:49:30 EDT 2014


If you want that your output directive work make sure that you do not
the the -b command line switch and also -A full is the default you can
skip that.

Also make sure that you do not have checksum error on the interface
your monitoring, you can add -k none to your snort command line
argument to disable
checksum validation to check if it can help.

-elz


On Mon, May 26, 2014 at 5:54 AM, Hadri Rahman <hadri90 at ...11827...> wrote:
> Snort could log attack but logfile remains empty.
>
> I've set up Snort and Barnyard2 on my system using this
> guide:http://www.symmetrixtech.com/articles/016-snortinstallguide2953.pdf
>
> I then added:
>
> ifconfig eth1 up
> /usr/local/snort/bin/snort -D -u snort -g snort \
> -c /usr/local/snort/etc/snort.conf -i eth1
> /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
> -d /var/log/snort \
> -f snort.u2 \
> -w /var/log/snort/barnyard2.waldo \
> -D
>
> In my /etc/rc.local file.
>
> It was able to detect the attacks I've performed, but when I checked the
> logfile, the logfile remained empty. I've also tried the commands:
>
> sudo /usr/local/snort/bin/snort -A full -u snort -g snort \
> -c /usr/local/snort/etc/snort.conf -i eth1
>
> and
>
> sudo /usr/local/snort/bin/snort -dev -l /var/log/snort -b -u snort -g snort
> -c /usr/local/snort/etc/snort.conf -i eth1
>
> But the results remained the same, but the second command would usually
> result in something like this appearing on the screen:
>
> 05/22-10:49:13.435375 00:26:18:8B:75:8C -> FF:FF:FF:FF:FF:FF type:0x800
> len:0x5C
> 192.168.2.1:137 -> 192.168.2.127:137 UDP TTL:128 TOS:0x0 ID:1389 IpLen:20
> DgmLen:78
> Len: 50
> E2 2B 01 10 00 01 00 00 00 00 00 00 20 45 42 46  .+.......... EBF
> 47 45 42 46 45 45 42 46 43 46 44 43 4F 45 47 46  GEBFEEBFCFDCOEGF
> 4A 46 43 45 46 43 4F 45 44 45 50 41 41 00 00 20  JFCEFCOEDEPAA..
> 00 01                                            ..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 05/22-10:49:14.184843 00:26:18:8B:75:8C -> FF:FF:FF:FF:FF:FF type:0x800
> len:0x5C
> 192.168.2.1:137 -> 192.168.2.127:137 UDP TTL:128 TOS:0x0 ID:1390 IpLen:20
> DgmLen:78
> Len: 50
> E2 2B 01 10 00 01 00 00 00 00 00 00 20 45 42 46  .+.......... EBF
> 47 45 42 46 45 45 42 46 43 46 44 43 4F 45 47 46  GEBFEEBFCFDCOEGF
> 4A 46 43 45 46 43 4F 45 44 45 50 41 41 00 00 20  JFCEFCOEDEPAA..
> 00 01                                            ..
>
> while the other will simply be blank until I press Control-C and it will
> show the statistics of the packets it had captured during the period.
>
> I have checked and confirmed that Snort, Barnyard2 and MySQL are working,
> the first two are also working under the user "Snort" and the group "Snort".
> However, when I checked the file content of /var/log/snort using ls -lsat,
> it showed this:
>
> drwxr-xrwx 18 root  root  4096 Mei  26 13:32 ..
> -rw-------  1 snort snort    0 Mei  26 13:32 tcpdump.log.1401082370
> -rw-------  1 snort snort    0 Mei  26 13:32 snort.u2.1401082370
> -rw-------  1 snort snort    0 Mei  26 13:32 snort.log
> -rw-------  1 snort snort    0 Mei  26 13:32 snort.alert
> drwxr-xrwx  2 snort snort 4096 Mei  26 13:32 .
>
> Here's the output to Snort-V:
>
>   ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.6.0 GRE (Build 47)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.4.0
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.1  <Build 1>
>            Rules Object: web-misc  Version 1.0  <Build 1>
>            Rules Object: smtp  Version 1.0  <Build 1>
>            Rules Object: exploit  Version 1.0  <Build 1>
>            Rules Object: dos  Version 1.0  <Build 1>
>            Rules Object: nntp  Version 1.0  <Build 1>
>            Rules Object: imap  Version 1.0  <Build 1>
>            Rules Object: specific-threats  Version 1.0  <Build 1>
>            Rules Object: chat  Version 1.0  <Build 1>
>            Rules Object: netbios  Version 1.0  <Build 1>
>            Rules Object: web-client  Version 1.0  <Build 1>
>            Rules Object: icmp  Version 1.0  <Build 1>
>            Rules Object: p2p  Version 1.0  <Build 1>
>            Rules Object: snmp  Version 1.0  <Build 1>
>            Rules Object: multimedia  Version 1.0  <Build 1>
>            Rules Object: web-iis  Version 1.0  <Build 1>
>            Rules Object: bad-traffic  Version 1.0  <Build 1>
>            Rules Object: web-activex  Version 1.0  <Build 1>
>            Rules Object: misc  Version 1.0  <Build 1>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>
> And here's my snort.conf file, the changes made highlighted in bold:
>
> #--------------------------------------------------
> #   VRT Rule Packages Snort.conf
> #
> #   For more information visit us at:
> #     http://www.snort.org                   Snort Website
> #     http://vrt-blog.snort.org/    Sourcefire VRT Blog
> #
> #     Mailing list Contact:      snort-sigs at lists.sourceforge.net
> #     False Positive reports:    fp at ...1935...
> #     Snort bugs:                bugs at ...950...
> #
> #     Compatible with Snort Versions:
> #     VERSIONS : 2.9.6.0
> #
> #     Snort build options:
> #     OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm
> --enable-perfprofiling --enable-zlib --enable-active-response
> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
> #
> #     Additional information:
> #     This configuration file enables active response, to run snort in
> #     test mode -T you are required to supply an interface -i <interface>
> #     or test mode will fail to fully validate the configuration and
> #     exit with a FATAL error
> #--------------------------------------------------
>
> ###################################################
> # This file contains a sample snort configuration.
> # You should take the following steps to create your own custom
> configuration:
> #
> #  1) Set the network variables.
> #  2) Configure the decoder
> #  3) Configure the base detection engine
> #  4) Configure dynamic loaded libraries
> #  5) Configure preprocessors
> #  6) Configure output plugins
> #  7) Customize your rule set
> #  8) Customize preprocessor and decoder rule set
> #  9) Customize shared object rule set
> ###################################################
>
> ###################################################
> # Step #1: Set the network variables.  For more information, see
> README.variables
> ###################################################
>
> # Setup the network addresses you are protecting
> var HOME_NET any
>
> # Set up the external network addresses. Leave as "any" in most situations
> var EXTERNAL_NET any
>
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
>
> # List of ssh servers on your network
> var SSH_SERVERS $HOME_NET
>
> # List of ftp servers on your network
> var FTP_SERVERS $HOME_NET
>
> # List of sip servers on your network
> var SIP_SERVERS $HOME_NET
>
> # List of ports you run web servers on
> portvar HTTP_PORTS
> [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
>
> # List of ports you want to look for SHELLCODE on.
> portvar SHELLCODE_PORTS !80
>
> # List of ports you might see oracle attacks on
> portvar ORACLE_PORTS 1024:
>
> # List of ports you want to look for SSH connections on:
> portvar SSH_PORTS 22
>
> # List of ports you run ftp servers on
> portvar FTP_PORTS [21,2100,3535]
>
> # List of ports you run SIP servers on
> portvar SIP_PORTS [5060,5061,5600]
>
> # List of file data ports for file inspection
> portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
>
> # List of GTP ports for GTP preprocessor
> portvar GTP_PORTS [2123,2152,3386]
>
> # other variables, these should not be modified
> ipvar AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> # Path to your rules files (this can be a relative path)
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\rules
> var RULE_PATH ../rules
> var SO_RULE_PATH ../so_rules
> var PREPROC_RULE_PATH ../preproc_rules
>
> # If you are using reputation preprocessor set these
> var WHITE_LIST_PATH /usr/local/snort/rules
> var BLACK_LIST_PATH /usr/local/snort/rules
>
> ###################################################
> # Step #2: Configure the decoder.  For more information, see README.decode
> ###################################################
>
> # Stop generic decode events:
> config disable_decode_alerts
>
> # Stop Alerts on experimental TCP options
> config disable_tcpopt_experimental_alerts
>
> # Stop Alerts on obsolete TCP options
> config disable_tcpopt_obsolete_alerts
>
> # Stop Alerts on T/TCP alerts
> config disable_tcpopt_ttcp_alerts
>
> # Stop Alerts on all other TCPOption type events:
> config disable_tcpopt_alerts
>
> # Stop Alerts on invalid ip options
> config disable_ipopt_alerts
>
> # Alert if value in length field (IP, TCP, UDP) is greater th elength of the
> packet
> # config enable_decode_oversized_alerts
>
> # Same as above, but drop packet if in Inline mode (requires
> enable_decode_oversized_alerts)
> # config enable_decode_oversized_drops
>
> # Configure IP / TCP checksum mode
> config checksum_mode: all
>
> # Configure maximum number of flowbit references.  For more information, see
> README.flowbits
> # config flowbits_size: 64
>
> # Configure ports to ignore
> # config ignore_ports: tcp 21 6667:6671 1356
> # config ignore_ports: udp 1:17 53
>
> # Configure active response for non inline operation. For more information,
> see REAMDE.active
> # config response: eth0 attempts 2
>
> # Configure DAQ related options for inline operation. For more information,
> see README.daq
> #
> # config daq: <type>
> # config daq_dir: <dir>
> # config daq_mode: <mode>
> # config daq_var: <var>
> #
> # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
> # <mode> ::= read-file | passive | inline
> # <var> ::= arbitrary <name>=<value passed to DAQ
> # <dir> ::= path as to where to look for DAQ module so's
>
> # Configure specific UID and GID to run snort as after dropping privs. For
> more information see snort -h command line options
> #
> # config set_gid:
> # config set_uid:
>
> # Configure default snaplen. Snort defaults to MTU of in use interface. For
> more information see README
> #
> # config snaplen:
> #
>
> # Configure default bpf_file to use for filtering what traffic reaches
> snort. For more information see snort -h command line options (-F)
> #
> # config bpf_file:
> #
>
> # Configure default log directory for snort to log to.  For more information
> see snort -h command line options (-l)
> #
> # config logdir:
>
>
> ###################################################
> # Step #3: Configure the base detection engine.  For more information, see
> README.decode
> ###################################################
>
> # Configure PCRE match limitations
> config pcre_match_limit: 3500
> config pcre_match_limit_recursion: 1500
>
> # Configure the detection engine  See the Snort Manual, Configuring Snort -
> Includes - Config
> config detection: search-method ac-split search-optimize max-pattern-len 20
>
> # Configure the event queue.  For more information, see README.event_queue
> config event_queue: max_queue 8 log 5 order_events content_length
>
> ###################################################
> ## Configure GTP if it is to be used.
> ## For more information, see README.GTP
> ####################################################
>
> # config enable_gtp
>
> ###################################################
> # Per packet and rule latency enforcement
> # For more information see README.ppm
> ###################################################
>
> # Per Packet latency configuration
> #config ppm: max-pkt-time 250, \
> #   fastpath-expensive-packets, \
> #   pkt-log
>
> # Per Rule latency configuration
> #config ppm: max-rule-time 200, \
> #   threshold 3, \
> #   suspend-expensive-rules, \
> #   suspend-timeout 20, \
> #   rule-log alert
>
> ###################################################
> # Configure Perf Profiling for debugging
> # For more information see README.PerfProfiling
> ###################################################
>
> #config profile_rules: print all, sort avg_ticks
> #config profile_preprocs: print all, sort avg_ticks
>
> ###################################################
> # Configure protocol aware flushing
> # For more information see README.stream5
> ###################################################
> config paf_max: 16000
>
> ###################################################
> # Step #4: Configure dynamic loaded libraries.
> # For more information, see Snort Manual, Configuring Snort - Dynamic
> Modules
> ###################################################
>
> # path to dynamic preprocessor libraries
> dynamicpreprocessor directory
> /usr/local/snort/lib/snort_dynamicpreprocessor/
>
> # path to base preprocessor engine
> dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
>
> # path to dynamic rules libraries
> dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
>
> ###################################################
> # Step #5: Configure preprocessors
> # For more information, see the Snort Manual, Configuring Snort -
> Preprocessors
> ###################################################
>
> # GTP Control Channle Preprocessor. For more information, see README.GTP
> # preprocessor gtp: ports { 2123 3386 2152 }
>
> # Inline packet normalization. For more information, see README.normalize
> # Does nothing in IDS mode
> preprocessor normalize_ip4
> preprocessor normalize_tcp: ips ecn stream
> preprocessor normalize_icmp4
> preprocessor normalize_ip6
> preprocessor normalize_icmp6
>
> # Target-based IP defragmentation.  For more inforation, see README.frag3
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10
> min_fragment_length 100 timeout 180
>
> # Target-Based stateful inspection/stream reassembly.  For more inforation,
> see README.stream5
> preprocessor stream5_global: track_tcp yes, \
>    track_udp yes, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 2, \
>    min_response_seconds 5
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>     ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139
> 143 \
>         161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666
> 6667 6668 6669 \
>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
> 32779, \
>     ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563
> 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414
> 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343
> 4848 5117 5250 6080 6173 6988 7907 7000 7001 7071 7144 7145 7510 7802 7770
> 7777 7779 \
>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
> 7913 7914 7915 7916 \
>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088
> 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000
> 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412
> 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712
> preprocessor stream5_udp: timeout 180
>
> # performance statistics.  For more information, see the Snort Manual,
> Configuring Snort - Preprocessors - Performance Monitor
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> 10000
>
> # HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
> preprocessor http_inspect_server: server default \
>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT
> SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH
> RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
> RPC_OUT_DATA RPC_ECHO_DATA } \
>     chunk_length 500000 \
>     server_flow_depth 0 \
>     client_flow_depth 0 \
>     post_depth 65495 \
>     oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     max_spaces 200 \
>     small_chunk_length { 10 5 } \
>     ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801
> 808 818 901 972 1158 1220 1414 1741 1830 2231 2301 2381 2809 3029 3037 3057
> 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000 7001 7071 7144
> 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090
> 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060
> 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412
> 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     inspect_gzip \
>     normalize_utf \
>     unlimited_decompress \
>     normalize_javascript \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     directory no \
>     double_decode no \
>     iis_backslash no \
>     iis_delimiter no \
>     iis_unicode no \
>     multi_slash no \
>     utf_8 no \
>     u_encode yes \
>     webroot no
>
> # ONC-RPC normalization and anomaly detection.  For more information, see
> the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777
> 32778 32779 no_alert_multiple_requests no_alert_large_fragments
> no_alert_incomplete
>
> # Back Orifice detection.
> preprocessor bo
>
> # FTP / Telnet normalization and anomaly detection.  For more information,
> see README.ftptelnet
> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic
> no check_encrypted
> preprocessor ftp_telnet_protocol: telnet \
>     ayt_attack_thresh 20 \
>     normalize ports { 23 } \
>     detect_anomalies
> preprocessor ftp_telnet_protocol: ftp server default \
>     def_max_param_len 100 \
>     ports { 21 2100 3535 } \
>     telnet_cmds yes \
>     ignore_telnet_erase_cmds yes \
>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
> REIN STOU SYST XCUP XPWD } \
>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD
> } \
>     alt_max_param_len 256 { CWD RNTO } \
>     alt_max_param_len 400 { PORT } \
>     alt_max_param_len 512 { SIZE } \
>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>     cmd_validity ALLO < int [ char R int ] > \
>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>     cmd_validity MACB < string > \
>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>     cmd_validity MODE < char ASBCZ > \
>     cmd_validity PORT < host_port > \
>     cmd_validity PROT < char CSEP > \
>     cmd_validity STRU < char FRPO [ string ] > \
>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ]
> } >
> preprocessor ftp_telnet_protocol: ftp client default \
>     max_resp_len 256 \
>     bounce yes \
>     ignore_telnet_erase_cmds yes \
>     telnet_cmds yes
>
>
> # SMTP normalization and anomaly detection.  For more information, see
> README.SMTP
> preprocessor smtp: ports { 25 465 587 691 } \
>     inspection_type stateful \
>     b64_decode_depth 0 \
>     qp_decode_depth 0 \
>     bitenc_decode_depth 0 \
>     uu_decode_depth 0 \
>     log_mailfrom \
>     log_rcptto \
>     log_filename \
>     log_email_hdrs \
>     normalize cmds \
>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
> ESOM ETRN EVFY } \
>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
> SAML SEND SOML } \
>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
> X-ERCP X-EXCH50 } \
>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
> XLICENSE XQUE XSTA XTRN XUSR } \
>     max_command_line_len 512 \
>     max_header_line_len 1000 \
>     max_response_line_len 512 \
>     alt_max_command_line_len 260 { MAIL } \
>     alt_max_command_line_len 300 { RCPT } \
>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM
> ESND ESOM EVFY IDENT NOOP RSET } \
>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET
> QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH
> XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM
> ETRN EVFY } \
>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
> SAML SEND SOML } \
>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
> X-ERCP X-EXCH50 } \
>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
> XQUE XSTA XTRN XUSR } \
>     xlink2state { enabled }
>
> # Portscan detection.  For more information, see README.sfportscan
> # preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
> low }
>
> # ARP spoof detection.  For more information, see the Snort Manual -
> Configuring Snort - Preprocessors - ARP Spoof Preprocessor
> # preprocessor arpspoof
> # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
> # SSH anomaly detection.  For more information, see README.ssh
> preprocessor ssh: server_ports { 22 } \
>                   autodetect \
>                   max_client_bytes 19600 \
>                   max_encrypted_packets 20 \
>                   max_server_version_len 100 \
>                   enable_respoverflow enable_ssh1crc32 \
>                   enable_srvoverflow enable_protomismatch
>
> # SMB / DCE-RPC normalization and anomaly detection.  For more information,
> see README.dcerpc2
> preprocessor dcerpc2: memcap 102400, events [co ]
> preprocessor dcerpc2_server: default, policy WinXP, \
>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
>
> # DNS anomaly detection.  For more information, see README.dns
> preprocessor dns: ports { 53 } enable_rdata_overflow
>
> # SSL anomaly detection and traffic bypass.  For more information, see
> README.ssl
> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900
> 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915
> 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
>
> # SDF sensitive data preprocessor.  For more information see
> README.sensitive_data
> preprocessor sensitive_data: alert_threshold 25
>
> # SIP Session Initiation Protocol preprocessor.  For more information see
> README.sip
> preprocessor sip: max_sessions 40000, \
>    ports { 5060 5061 5600 }, \
>    methods { invite \
>              cancel \
>              ack \
>              bye \
>              register \
>              options \
>              refer \
>              subscribe \
>              update \
>              join \
>              info \
>              message \
>              notify \
>              benotify \
>              do \
>              qauth \
>              sprack \
>              publish \
>              service \
>              unsubscribe \
>              prack }, \
>    max_uri_len 512, \
>    max_call_id_len 80, \
>    max_requestName_len 20, \
>    max_from_len 256, \
>    max_to_len 256, \
>    max_via_len 1024, \
>    max_contact_len 512, \
>    max_content_len 2048
>
> # IMAP preprocessor.  For more information see README.imap
> preprocessor imap: \
>    ports { 143 } \
>    b64_decode_depth 0 \
>    qp_decode_depth 0 \
>    bitenc_decode_depth 0 \
>    uu_decode_depth 0
>
> # POP preprocessor. For more information see README.pop
> preprocessor pop: \
>    ports { 110 } \
>    b64_decode_depth 0 \
>    qp_decode_depth 0 \
>    bitenc_decode_depth 0 \
>    uu_decode_depth 0
>
> # Modbus preprocessor. For more information see README.modbus
> preprocessor modbus: ports { 502 }
>
> # DNP3 preprocessor. For more information see README.dnp3
> preprocessor dnp3: ports { 20000 } \
>    memcap 262144 \
>    check_crc
>
> # Reputation preprocessor. For more information see README.reputation
> preprocessor reputation: \
>    memcap 500, \
>    priority whitelist, \
>    nested_ip inner, \
>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>    blacklist $BLACK_LIST_PATH/black_list.rules
>
> ###################################################
> # Step #6: Configure output plugins
> # For more information, see Snort Manual, Configuring Snort - Output Modules
> ###################################################
>
> # unified2
> # Recommended for most installs
> # output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
> output unified2: filename snort.u2, limit 128
> # Additional configuration for specific types of installs
> output alert_unified2: filename snort.alert, limit 128, nostamp
> output log_unified2: filename snort.log, limit 128, nostamp
>
> # syslog
> output alert_syslog: LOG_AUTH LOG_ALERT
>
> # pcap
> output log_tcpdump: tcpdump.log
>
> # metadata reference data.  do not modify these lines
> include classification.config
> include reference.config
>
>
> ###################################################
> # Step #7: Customize your rule set
> # For more information, see Snort Manual, Writing Snort Rules
> #
> # NOTE: All categories are enabled in this conf file
> ###################################################
>
> # site specific rules
> include $RULE_PATH/local.rules
>
> include $RULE_PATH/app-detect.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/blacklist.rules
> include $RULE_PATH/botnet-cnc.rules
> include $RULE_PATH/browser-chrome.rules
> include $RULE_PATH/browser-firefox.rules
> include $RULE_PATH/browser-ie.rules
> include $RULE_PATH/browser-other.rules
> include $RULE_PATH/browser-plugins.rules
> include $RULE_PATH/browser-webkit.rules
> include $RULE_PATH/chat.rules
> include $RULE_PATH/content-replace.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/exploit-kit.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/file-executable.rules
> include $RULE_PATH/file-flash.rules
> include $RULE_PATH/file-identify.rules
> include $RULE_PATH/file-image.rules
> include $RULE_PATH/file-java.rules
> include $RULE_PATH/file-multimedia.rules
> include $RULE_PATH/file-office.rules
> include $RULE_PATH/file-other.rules
> include $RULE_PATH/file-pdf.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/indicator-compromise.rules
> include $RULE_PATH/indicator-obfuscation.rules
> include $RULE_PATH/indicator-scan.rules
> include $RULE_PATH/indicator-shellcode.rules
> include $RULE_PATH/info.rules
> include $RULE_PATH/malware-backdoor.rules
> include $RULE_PATH/malware-cnc.rules
> include $RULE_PATH/malware-other.rules
> include $RULE_PATH/malware-tools.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/multimedia.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/os-linux.rules
> include $RULE_PATH/os-mobile.rules
> include $RULE_PATH/os-other.rules
> include $RULE_PATH/os-solaris.rules
> include $RULE_PATH/os-windows.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/p2p.rules
> include $RULE_PATH/phishing-spam.rules
> include $RULE_PATH/policy-multimedia.rules
> include $RULE_PATH/policy-other.rules
> include $RULE_PATH/policy.rules
> include $RULE_PATH/policy-social.rules
> include $RULE_PATH/policy-spam.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/protocol-dns.rules
> include $RULE_PATH/protocol-finger.rules
> include $RULE_PATH/protocol-ftp.rules
> include $RULE_PATH/protocol-icmp.rules
> include $RULE_PATH/protocol-imap.rules
> include $RULE_PATH/protocol-nntp.rules
> include $RULE_PATH/protocol-pop.rules
> include $RULE_PATH/protocol-rpc.rules
> include $RULE_PATH/protocol-scada.rules
> include $RULE_PATH/protocol-services.rules
> include $RULE_PATH/protocol-snmp.rules
> include $RULE_PATH/protocol-telnet.rules
> include $RULE_PATH/protocol-tftp.rules
> include $RULE_PATH/protocol-voip.rules
> include $RULE_PATH/pua-adware.rules
> include $RULE_PATH/pua-other.rules
> include $RULE_PATH/pua-p2p.rules
> include $RULE_PATH/pua-toolbars.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/scada.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/server-apache.rules
> include $RULE_PATH/server-iis.rules
> include $RULE_PATH/server-mail.rules
> include $RULE_PATH/server-mssql.rules
> include $RULE_PATH/server-mysql.rules
> include $RULE_PATH/server-oracle.rules
> include $RULE_PATH/server-other.rules
> include $RULE_PATH/server-samba.rules
> include $RULE_PATH/server-webapp.rules
> include $RULE_PATH/shellcode.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/specific-threats.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/voip.rules
> include $RULE_PATH/web-activex.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/x11.rules
>
> ###################################################
> # Step #8: Customize your preprocessor and decoder alerts
> # For more information, see README.decoder_preproc_rules
> ###################################################
>
> # decoder and preprocessor event rules
> # include $PREPROC_RULE_PATH/preprocessor.rules
> # include $PREPROC_RULE_PATH/decoder.rules
> # include $PREPROC_RULE_PATH/sensitive-data.rules
>
> ###################################################
> # Step #9: Customize your Shared Object Snort Rules
> # For more information, see
> http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html
> ###################################################
>
> # dynamic library rules
> # include $SO_RULE_PATH/bad-traffic.rules
> # include $SO_RULE_PATH/chat.rules
> # include $SO_RULE_PATH/dos.rules
> # include $SO_RULE_PATH/exploit.rules
> # include $SO_RULE_PATH/icmp.rules
> # include $SO_RULE_PATH/imap.rules
> # include $SO_RULE_PATH/misc.rules
> # include $SO_RULE_PATH/multimedia.rules
> # include $SO_RULE_PATH/netbios.rules
> # include $SO_RULE_PATH/nntp.rules
> # include $SO_RULE_PATH/p2p.rules
> # include $SO_RULE_PATH/smtp.rules
> # include $SO_RULE_PATH/snmp.rules
> # include $SO_RULE_PATH/specific-threats.rules
> # include $SO_RULE_PATH/web-activex.rules
> # include $SO_RULE_PATH/web-client.rules
> # include $SO_RULE_PATH/web-iis.rules
> # include $SO_RULE_PATH/web-misc.rules
>
> # Event thresholding or suppression commands. See threshold.conf
> include threshold.conf
>
> ------------------------------------------------------------------------------
> The best possible search technologies are now affordable for all companies.
> Download your FREE open source Enterprise Search Engine today!
> Our experts will assist you in its installation for $59/mo, no commitment.
> Test it for FREE on our Cloud platform anytime!
> http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list