[Snort-users] detection_filter not working

Anna Kowalska annak.koval at ...11827...
Mon Jan 23 11:03:38 EST 2017


Thank you for your examples. I upgaded lately to 2.9.9.0 version and now
detection_filter works fine. Thank you for help once again!

2017-01-22 18:15 GMT+01:00 Al Lewis (allewi) <allewi at ...589...>:

> Anna,
>
>
> I noticed in your rule that you had the timer set to 1 second for 20
> packets. If the traffic is being generated by a tool (hping) you may want
> to capture it and make sure that all packets are falling within the time
> period set. Or try raising the timer/lowering the count.
>
>
> Attached is another example. The pcap has been edited (timestamp intervals
> and ip’s) to get the traffic within the specified time period of one second.
>
>
> cliffjumper:snort-2.9.9.0-released byob$ tcpdump -n -r etc/ANNA.pcap
> reading from file etc/ANNA.pcap, link-type EN10MB (Ethernet)
> 11:59:54.130000 IP 127.0.0.1.55117 > 127.0.0.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.180000 IP 127.0.0.1.55117 > 127.0.1.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.230000 IP 127.0.0.1.55117 > 127.0.2.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.280000 IP 127.0.0.1.55117 > 127.0.3.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.330000 IP 127.0.0.1.55117 > 127.0.4.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.380000 IP 127.0.0.1.55117 > 127.0.5.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.430000 IP 127.0.0.1.55117 > 127.0.6.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.480000 IP 127.0.0.1.55117 > 127.0.7.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.530000 IP 127.0.0.1.55117 > 127.0.8.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.580000 IP 127.0.0.1.55117 > 127.0.9.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
> 11:59:54.630000 IP 127.0.0.1.55117 > 127.0.10.4.80: Flags [S], seq
> 980889214, win 1024, options [mss 1460], length 0
>
>
> cliffjumper:snort-2.9.9.0-released byob$ ./bin/snort -c etc/ANNA.conf -r
> etc/ANNA.pcap -Acmg -q
> 01/22-11:59:54.630000  [**] [1:1000001:0] Syn scan [**] [Priority: 0]
> {TCP} 127.0.0.1:55117 -> 127.0.10.4:80
> 01/22-11:59:54.630000 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800
> len:0x3A
> 127.0.0.1:55117 -> 127.0.10.4:80 TCP TTL:55 TOS:0x0 ID:21861 IpLen:20
> DgmLen:44
> ******S* Seq: 0x3A772E7E  Ack: 0x0  Win: 0x400  TcpLen: 24
> TCP Options (1) => MSS: 1460
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> ipvar HOME_NET 127.0.0.0/16
>
> alert tcp any any -> $HOME_NET 80 ( \
> msg:"Syn scan"; \
> flags:S; \
>   detection_filter:track by_src, count 10, seconds 1; \
>         sid:1000001; )
>
>
> I tried on 2.9.8.3 and on 2.9.9 and it works on both.
>
>
> Hope this helps!
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: allewi <allewi at ...589...>
> Date: Thursday, January 19, 2017 at 4:51 PM
> To: Anna Kowalska <annak.koval at ...11827...>
> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
>
> Subject: Re: [Snort-users] detection_filter not working
>
> Here one with a detection filter to get you started.
>
>
> ALLEWI-M-8257:snort-2.9.8.3 allewi$ ./bin/snort -c etc/scan.conf -r
> etc/scan.pcap -Acmg -k none -q
> 12/02-08:42:23.035169  [**] [1:1000001:0] Possible ACK SCAN reply or RST
> scan [**] [Priority: 0] {TCP} 127.0.0.1:49156 -> 127.0.0.1:34001
> 12/02-08:42:23.035169 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800
> len:0x36
> 127.0.0.1:49156 -> 127.0.0.1:34001 TCP TTL:64 TOS:0x0 ID:25774 IpLen:20
> DgmLen:40 DF
> *****R** Seq: 0x522CDFB6  Ack: 0x0  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
> Uses this:
>
> alert tcp any any -> any any ( \
>         msg:"Possible ACK SCAN reply or RST scan"; \
>         flags:R; \
>         detection_filter:track by_src, count 20, seconds 3; \
>         sid:1000001; )
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: "Russ Combs (rucombs)" <rucombs at ...589...>
> Date: Thursday, January 19, 2017 at 4:01 PM
> To: 'snort-users' <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] detection_filter not working
>
> What is the original rule you had with threshold?
>
> On 1/19/17 3:40 PM, Anna Kowalska wrote:
>
> Hi,
>
> Fatema, I tried it, but it didn't work. Joel gave me a suggestion that
> maybe my version of Snort (2.9.8.3) has a bug with detection_filter. After
> I finish working with my current project I will upgrade to 2.9.9 version
> and check if the problem will be gone.
>
> 2017-01-19 12:05 GMT+01:00 Al Lewis (allewi) <allewi at ...589...>:
>
>> Hello,
>>
>> Did you get this working?
>>
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at ...589...
>>
>> From: Anna Kowalska <annak.koval at ...11827...>
>> Date: Saturday, January 14, 2017 at 8:20 AM
>> To: 'snort-users' <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] detection_filter not working
>>
>> Hi all,
>>
>> I am struggling with making one rule work. I want to set alarm when snort
>> detects too much of syn packets (possible tcp syn flood) and it works when
>> I used threshold option in rule. Then I tried it with detection_filter and
>> it doesn't give any alarm.
>> Here is the rule I wrote in my local.rules file:
>>
>> alert tcp any any -> $HOME_NET 80 (msg:"syn flood attempt"; flags:S;
>> classtype:attempted-dos; detection_filter: track by_src, count 20, seconds
>> 1; sid: 1000024;)
>>
>> I proceed with hping3, but snort generated no output. Please tell me what
>> am I doing wrong, maybe I forgot to attach something to configurtion, but I
>> really have no idea what could it be..
>>
>> commandline: snort -i eth0 -c /etc/snort/snort.conf -A console
>>
>> configuration file:
>> ###################################################
>> # Step #3: Configure the base detection engine.  For more information,
>> see  README.decode
>> ###################################################
>>
>> # Configure PCRE match limitations
>> config pcre_match_limit: 3500
>> config pcre_match_limit_recursion: 1500
>>
>> # Configure the detection engine  See the Snort Manual, Configuring Snort
>> - Includes - Config
>> config detection: search-method ac-split search-optimize max-pattern-len
>> 20
>>
>> # Configure the event queue.  For more information, see README.event_queue
>> config event_queue: max_queue 8 log 5 order_events content_length
>>
>> ###################################################
>> ## Configure GTP if it is to be used.
>> ## For more information, see README.GTP
>> ####################################################
>>
>> # config enable_gtp
>>
>> ###################################################
>> # Per packet and rule latency enforcement
>> # For more information see README.ppm
>> ###################################################
>>
>> # Per Packet latency configuration
>> #config ppm: max-pkt-time 250, \
>> #   fastpath-expensive-packets, \
>> #   pkt-log
>>
>> # Per Rule latency configuration
>> #config ppm: max-rule-time 200, \
>> #   threshold 3, \
>> #   suspend-expensive-rules, \
>> #   suspend-timeout 20, \
>> #   rule-log alert
>>
>> ###################################################
>> # Configure Perf Profiling for debugging
>> # For more information see README.PerfProfiling
>> ###################################################
>>
>> #config profile_rules: print all, sort avg_ticks
>> #config profile_preprocs: print all, sort avg_ticks
>>
>> ###################################################
>> # Configure protocol aware flushing
>> # For more information see README.stream5
>> ###################################################
>> config paf_max: 16000
>>
>> ###################################################
>> # Step #4: Configure dynamic loaded libraries.
>> # For more information, see Snort Manual, Configuring Snort - Dynamic
>> Modules
>> ###################################################
>>
>> # path to dynamic preprocessor libraries
>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>
>> # path to base preprocessor engine
>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>
>> # path to dynamic rules libraries
>> dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>
>> ###################################################
>> # Step #5: Configure preprocessors
>> # For more information, see the Snort Manual, Configuring Snort -
>> Preprocessors
>> ###################################################
>>
>> # GTP Control Channle Preprocessor. For more information, see README.GTP
>> # preprocessor gtp: ports { 2123 3386 2152 }
>>
>> # Inline packet normalization. For more information, see README.normalize
>> # Does nothing in IDS mode
>> preprocessor normalize_ip4
>> preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay,
>> req_urp, ips, ecn stream
>> preprocessor normalize_icmp4
>> preprocessor normalize_ip6
>> preprocessor normalize_icmp6
>>
>> # Target-based IP defragmentation.  For more inforation, see README.frag3
>> preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
>> 10 min_fragment_length 100 timeout 180
>>
>> # Target-Based stateful inspection/stream reassembly.  For more
>> inforation, see README.stream5
>> preprocessor stream5_global: track_tcp yes, \
>>    track_udp yes, \
>>    track_icmp no, \
>>    max_tcp 262144, \
>>    max_udp 131072, \
>>    max_active_responses 2, \
>>    min_response_seconds 5
>>
>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
>> 180, \
>>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>>     ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137
>> 139 143 \
>>         161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665
>> 6666 6667 6668 6669 \
>>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
>> 32779, \
>>     ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465
>> 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220
>> 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128
>> 3443 3702 4000 4343 4848 5000 5117 5250 5450 5600 5814 6080 6173 6988 7907
>> 7000 7001 7005 7071 7144 7145 7510 7802 7770 7777 7778 7779 \
>>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
>> 7913 7914 7915 7916 \
>>         7917 7918 7919 7920 8000 8001 8008 8014 8015 8020 8028 8040 8080
>> 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333
>> 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090
>> 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 12601 13014 15489 19980
>> 29991 33300 34412 34443 34444 40007 41080 44449 50000 50002 51423 53331
>> 55252 55555 56712
>> preprocessor stream5_icmp: timeout 30
>> preprocessor stream5_udp: timeout 180
>>
>> # performance statistics.  For more information, see the Snort Manual,
>> Configuring Snort - Preprocessors - Performance Monitor
>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
>> 10000
>>
>> # HTTP normalization and anomaly detection.  For more information, see
>> README.http_inspect
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> compress_depth 65535 decompress_depth 65535
>> preprocessor http_inspect_server: server default \
>>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
>> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK
>> CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
>> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
>> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>>     chunk_length 500000 \
>>     server_flow_depth 0 \
>>     client_flow_depth 0 \
>>     post_depth 65495 \
>>     oversize_dir_length 500 \
>>     max_header_length 750 \
>>     max_headers 100 \
>>     max_spaces 200 \
>>     small_chunk_length { 10 5 } \
>>     ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631
>> 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578
>> 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5450
>> 5600 5814 6080 6173 6988 7000 7001 7005 7071 7144 7145 7510 7770 7777 7778
>> 7779 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081 8082 8085 8088 8090
>> 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509
>> 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447
>> 9710 9788 9999 10000 11371 12601 13014 15489 19980 29991 33300 34412 34443
>> 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \
>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>     enable_cookie \
>>     extended_response_inspection \
>>     inspect_gzip \
>>     normalize_utf \
>>     unlimited_decompress \
>>     normalize_javascript \
>>     apache_whitespace no \
>>     ascii no \
>>     bare_byte no \
>>     directory no \
>>     double_decode no \
>>     iis_backslash no \
>>     iis_delimiter no \
>>     iis_unicode no \
>>     multi_slash no \
>>     utf_8 no \
>>     u_encode yes \
>>     webroot no
>>
>> # ONC-RPC normalization and anomaly detection.  For more information, see
>> the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
>> 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments
>> no_alert_incomplete
>>
>> # Back Orifice detection.
>> preprocessor bo
>>
>> # FTP / Telnet normalization and anomaly detection.  For more
>> information, see README.ftptelnet
>> preprocessor ftp_telnet: global inspection_type stateful
>> encrypted_traffic no check_encrypted
>> preprocessor ftp_telnet_protocol: telnet \
>>     ayt_attack_thresh 20 \
>>     normalize ports { 23 } \
>>     detect_anomalies
>> preprocessor ftp_telnet_protocol: ftp server default \
>>     def_max_param_len 100 \
>>     ports { 21 2100 3535 } \
>>     telnet_cmds yes \
>>     ignore_telnet_erase_cmds yes \
>>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
>> REIN STOU SYST XCUP XPWD } \
>>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
>> XMKD } \
>>     alt_max_param_len 256 { CWD RNTO } \
>>     alt_max_param_len 400 { PORT } \
>>     alt_max_param_len 512 { SIZE } \
>>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>>     cmd_validity ALLO < int [ char R int ] > \
>>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>>     cmd_validity MACB < string > \
>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>     cmd_validity MODE < char ASBCZ > \
>>     cmd_validity PORT < host_port > \
>>     cmd_validity PROT < char CSEP > \
>>     cmd_validity STRU < char FRPO [ string ] > \
>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
>> ] } >
>> preprocessor ftp_telnet_protocol: ftp client default \
>>     max_resp_len 256 \
>>     bounce yes \
>>     ignore_telnet_erase_cmds yes \
>>     telnet_cmds yes
>>
>>
>> # SMTP normalization and anomaly detection.  For more information, see
>> README.SMTP
>> preprocessor smtp: ports { 25 465 587 691 } \
>>     inspection_type stateful \
>>     b64_decode_depth 0 \
>>     qp_decode_depth 0 \
>>     bitenc_decode_depth 0 \
>>     uu_decode_depth 0 \
>>     log_mailfrom \
>>     log_rcptto \
>>     log_filename \
>>     log_email_hdrs \
>>     normalize cmds \
>>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM
>> ESND ESOM ETRN EVFY } \
>>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
>> RSET SAML SEND SOML } \
>>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT
>> X-DRCP X-ERCP X-EXCH50 } \
>>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>> XLICENSE XQUE XSTA XTRN XUSR } \
>>     max_command_line_len 512 \
>>     max_header_line_len 1000 \
>>     max_response_line_len 512 \
>>     alt_max_command_line_len 260 { MAIL } \
>>     alt_max_command_line_len 300 { RCPT } \
>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL
>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA
>> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
>> XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
>> ESOM ETRN EVFY } \
>>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
>> SAML SEND SOML } \
>>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
>> X-ERCP X-EXCH50 } \
>>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
>> XLICENSE XQUE XSTA XTRN XUSR } \
>>     xlink2state { enabled }
>>
>> # Portscan detection.  For more information, see README.sfportscan
>>  preprocessor sfportscan: proto  { all } scan_type { all }  memcap {
>> 10000000 } sense_level { high } logfile { /var/log/snort/PORTSCAN.log }
>> detect_ack_scans
>>
>> # ARP spoof detection.  For more information, see the Snort Manual -
>> Configuring Snort - Preprocessors - ARP Spoof Preprocessor
>> # preprocessor arpspoof
>> # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>>
>> # SSH anomaly detection.  For more information, see README.ssh
>> preprocessor ssh: server_ports { 22 } \
>>                   autodetect \
>>                   max_client_bytes 19600 \
>>                   max_encrypted_packets 20 \
>>                   max_server_version_len 100 \
>>                   enable_respoverflow enable_ssh1crc32 \
>>                   enable_srvoverflow enable_protomismatch
>>
>> # SMB / DCE-RPC normalization and anomaly detection.  For more
>> information, see README.dcerpc2
>> preprocessor dcerpc2: memcap 102400, events [co ]
>> preprocessor dcerpc2_server: default, policy WinXP, \
>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>>     smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
>>
>> # DNS anomaly detection.  For more information, see README.dns
>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>
>> # SSL anomaly detection and traffic bypass.  For more information, see
>> README.ssl
>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 5061 7801
>> 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913
>> 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
>>
>> # SDF sensitive data preprocessor.  For more information see
>> README.sensitive_data
>> preprocessor sensitive_data: alert_threshold 25
>>
>> # SIP Session Initiation Protocol preprocessor.  For more information see
>> README.sip
>> preprocessor sip: max_sessions 40000, \
>>    ports { 5060 5061 5600 }, \
>>    methods { invite \
>>              cancel \
>>              ack \
>>              bye \
>>              register \
>>              options \
>>              refer \
>>              subscribe \
>>              update \
>>              join \
>>              info \
>>              message \
>>              notify \
>>              benotify \
>>              do \
>>              qauth \
>>              sprack \
>>              publish \
>>              service \
>>              unsubscribe \
>>              prack }, \
>>    max_uri_len 512, \
>>    max_call_id_len 80, \
>>    max_requestName_len 20, \
>>    max_from_len 256, \
>>    max_to_len 256, \
>>    max_via_len 1024, \
>>    max_contact_len 512, \
>>    max_content_len 2048
>>
>> # IMAP preprocessor.  For more information see README.imap
>> preprocessor imap: \
>>    ports { 143 } \
>>    b64_decode_depth 0 \
>>    qp_decode_depth 0 \
>>    bitenc_decode_depth 0 \
>>    uu_decode_depth 0
>>
>> # POP preprocessor. For more information see README.pop
>> preprocessor pop: \
>>    ports { 110 } \
>>    b64_decode_depth 0 \
>>    qp_decode_depth 0 \
>>    bitenc_decode_depth 0 \
>>    uu_decode_depth 0
>>
>> # Modbus preprocessor. For more information see README.modbus
>> preprocessor modbus: ports { 502 }
>>
>> # DNP3 preprocessor. For more information see README.dnp3
>> preprocessor dnp3: ports { 20000 } \
>>    memcap 262144 \
>>    check_crc
>>
>> # Reputation preprocessor. For more information see README.reputation
>> preprocessor reputation: \
>>    memcap 500, \
>>    priority whitelist, \
>>    nested_ip inner, \
>>    whitelist $WHITE_LIST_PATH/white_list.rules, \
>>    blacklist $BLACK_LIST_PATH/black_list.rules
>>
>> ###################################################
>> # Step #6: Configure output plugins
>> # For more information, see Snort Manual, Configuring Snort - Output
>> Modules
>> ###################################################
>>
>> # unified2
>> # Recommended for most installs
>> # output unified2: filename merged.log, limit 128, nostamp,
>> mpls_event_types, vlan_event_types
>>
>> # Additional configuration for specific types of installs
>> # output alert_unified2: filename snort.alert, limit 128, nostamp
>> # output log_unified2: filename snort.log, limit 128, nostamp
>>
>> # syslog
>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>
>> # pcap
>> # output log_tcpdump: tcpdump.log
>>
>> # metadata reference data.  do not modify these lines
>> include classification.config
>> include reference.config
>>
>>
>> ###################################################
>> # Step #7: Customize your rule set
>> # For more information, see Snort Manual, Writing Snort Rules
>> #
>> # NOTE: All categories are enabled in this conf file
>> ###################################################
>>
>> # site specific rules
>> include $RULE_PATH/local.rules
>>
>> include $RULE_PATH/app-detect.rules
>> include $RULE_PATH/attack-responses.rules
>> include $RULE_PATH/backdoor.rules
>> include $RULE_PATH/bad-traffic.rules
>> include $RULE_PATH/blacklist.rules
>> include $RULE_PATH/botnet-cnc.rules
>> include $RULE_PATH/browser-chrome.rules
>> include $RULE_PATH/browser-firefox.rules
>> include $RULE_PATH/browser-ie.rules
>> include $RULE_PATH/browser-other.rules
>> include $RULE_PATH/browser-plugins.rules
>> include $RULE_PATH/browser-webkit.rules
>> include $RULE_PATH/chat.rules
>> include $RULE_PATH/content-replace.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/experimental.rules
>> include $RULE_PATH/exploit-kit.rules
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/file-executable.rules
>> include $RULE_PATH/file-flash.rules
>> include $RULE_PATH/file-identify.rules
>> include $RULE_PATH/file-image.rules
>> include $RULE_PATH/file-java.rules
>> include $RULE_PATH/file-multimedia.rules
>> include $RULE_PATH/file-office.rules
>> include $RULE_PATH/file-other.rules
>> include $RULE_PATH/file-pdf.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/icmp-info.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/indicator-compromise.rules
>> include $RULE_PATH/indicator-obfuscation.rules
>> include $RULE_PATH/indicator-scan.rules
>> include $RULE_PATH/indicator-shellcode.rules
>> include $RULE_PATH/info.rules
>> include $RULE_PATH/malware-backdoor.rules
>> include $RULE_PATH/malware-cnc.rules
>> include $RULE_PATH/malware-other.rules
>> include $RULE_PATH/malware-tools.rules
>> include $RULE_PATH/misc.rules
>> include $RULE_PATH/multimedia.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/nntp.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/os-linux.rules
>> include $RULE_PATH/os-mobile.rules
>> include $RULE_PATH/os-other.rules
>> include $RULE_PATH/os-solaris.rules
>> include $RULE_PATH/os-windows.rules
>> include $RULE_PATH/other-ids.rules
>> include $RULE_PATH/p2p.rules
>> include $RULE_PATH/phishing-spam.rules
>> include $RULE_PATH/policy-multimedia.rules
>> include $RULE_PATH/policy-other.rules
>> include $RULE_PATH/policy.rules
>> include $RULE_PATH/policy-social.rules
>> include $RULE_PATH/policy-spam.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/protocol-dns.rules
>> include $RULE_PATH/protocol-finger.rules
>> include $RULE_PATH/protocol-ftp.rules
>> include $RULE_PATH/protocol-icmp.rules
>> include $RULE_PATH/protocol-imap.rules
>> include $RULE_PATH/protocol-nntp.rules
>> include $RULE_PATH/protocol-other.rules
>> include $RULE_PATH/protocol-pop.rules
>> include $RULE_PATH/protocol-rpc.rules
>> include $RULE_PATH/protocol-scada.rules
>> include $RULE_PATH/protocol-services.rules
>> include $RULE_PATH/protocol-snmp.rules
>> include $RULE_PATH/protocol-telnet.rules
>> include $RULE_PATH/protocol-tftp.rules
>> include $RULE_PATH/protocol-voip.rules
>> include $RULE_PATH/pua-adware.rules
>> include $RULE_PATH/pua-other.rules
>> include $RULE_PATH/pua-p2p.rules
>> include $RULE_PATH/pua-toolbars.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/scada.rules
>> include $RULE_PATH/scan.rules
>> include $RULE_PATH/server-apache.rules
>> include $RULE_PATH/server-iis.rules
>> include $RULE_PATH/server-mail.rules
>> include $RULE_PATH/server-mssql.rules
>> include $RULE_PATH/server-mysql.rules
>> include $RULE_PATH/server-oracle.rules
>> include $RULE_PATH/server-other.rules
>> include $RULE_PATH/server-samba.rules
>> include $RULE_PATH/server-webapp.rules
>> include $RULE_PATH/shellcode.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/specific-threats.rules
>> include $RULE_PATH/spyware-put.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/voip.rules
>> include $RULE_PATH/web-activex.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-misc.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/x11.rules
>>
>> #Include MyRULES
>>
>> include $RULE_PATH/mytest.rules
>> include $RULE_PATH/mylog.rules
>>
>> ###################################################
>> # Step #8: Customize your preprocessor and decoder alerts
>> # For more information, see README.decoder_preproc_rules
>> ###################################################
>>
>> # decoder and preprocessor event rules
>>  include $PREPROC_RULE_PATH/preprocessor.rules
>>  include $PREPROC_RULE_PATH/decoder.rules
>>  include $PREPROC_RULE_PATH/sensitive-data.rules
>>
>> ###################################################
>> # Step #9: Customize your Shared Object Snort Rules
>> # For more information, see http://vrt-blog.snort.org/2009
>> /01/using-vrt-certified-shared-object-rules.html
>> ###################################################
>>
>> # dynamic library rules
>> # include $SO_RULE_PATH/browser-ie.rules
>> # include $SO_RULE_PATH/browser-other.rules
>> # include $SO_RULE_PATH/exploit-kit.rules
>> # include $SO_RULE_PATH/file-flash.rules
>> # include $SO_RULE_PATH/file-image.rules
>> # include $SO_RULE_PATH/file-java.rules
>> # include $SO_RULE_PATH/file-multimedia.rules
>> # include $SO_RULE_PATH/file-office.rules
>> # include $SO_RULE_PATH/file-other.rules
>> # include $SO_RULE_PATH/file-pdf.rules
>> # include $SO_RULE_PATH/indicator-shellcode.rules
>> # include $SO_RULE_PATH/malware-cnc.rules
>> # include $SO_RULE_PATH/malware-other.rules
>> # include $SO_RULE_PATH/netbios.rules
>> # include $SO_RULE_PATH/os-linux.rules
>> # include $SO_RULE_PATH/os-other.rules
>> # include $SO_RULE_PATH/os-windows.rules
>> # include $SO_RULE_PATH/policy-social.rules
>> # include $SO_RULE_PATH/protocol-dns.rules
>> # include $SO_RULE_PATH/protocol-nntp.rules
>> # include $SO_RULE_PATH/protocol-other.rules
>> # include $SO_RULE_PATH/protocol-snmp.rules
>> # include $SO_RULE_PATH/protocol-voip.rules
>> # include $SO_RULE_PATH/pua-p2p.rules
>> # include $SO_RULE_PATH/server-apache.rules
>> # include $SO_RULE_PATH/server-iis.rules
>> # include $SO_RULE_PATH/server-mail.rules
>> # include $SO_RULE_PATH/server-mysql.rules
>> # include $SO_RULE_PATH/server-oracle.rules
>> # include $SO_RULE_PATH/server-other.rules
>> # include $SO_RULE_PATH/server-webapp.rules
>>
>> # legacy dynamic library rule files
>> # include $SO_RULE_PATH/bad-traffic.rules
>> # include $SO_RULE_PATH/browser-ie.rules
>> # include $SO_RULE_PATH/chat.rules
>> # include $SO_RULE_PATH/dos.rules
>> # include $SO_RULE_PATH/exploit.rules
>> # include $SO_RULE_PATH/file-flash.rules
>> # include $SO_RULE_PATH/icmp.rules
>> # include $SO_RULE_PATH/imap.rules
>> # include $SO_RULE_PATH/misc.rules
>> # include $SO_RULE_PATH/multimedia.rules
>> # include $SO_RULE_PATH/netbios.rules
>> # include $SO_RULE_PATH/nntp.rules
>> # include $SO_RULE_PATH/p2p.rules
>> # include $SO_RULE_PATH/smtp.rules
>> # include $SO_RULE_PATH/snmp.rules
>> # include $SO_RULE_PATH/specific-threats.rules
>> # include $SO_RULE_PATH/web-activex.rules
>> # include $SO_RULE_PATH/web-client.rules
>> # include $SO_RULE_PATH/web-iis.rules
>> # include $SO_RULE_PATH/web-misc.rules
>>
>> # Event thresholding or suppression commands. See threshold.conf
>> include threshold.conf
>>
>> rate_filter \
>>         gen_id 135, sig_id 1, \
>>         track by_src, \
>>         count 100, seconds 5, \
>>        new_action alert, timeout 10
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170123/665eaa85/attachment.html>


More information about the Snort-users mailing list