[Snort-users] Configuring Snort to work with Pytbull

Sarfraz Saddiq safs at email.com
Tue May 22 07:43:28 EDT 2018


Hi, 

I am new to Snort, and I was wondering if you could help me as I just cannot
figure it out!!

 

I am trying to test Snort by using Pytbull to deliver various attacking
payloads but whenever I load up pytbull it says:

 

***ERROR: FTP Error, 550 Failed to open file.

Check your configuration (section FTP in config.cfg).

Also check privileges on remote host.

 

I do have ftp access on the Snort machine and can access it no problem.

 

This is the config snippet from Pytbull:

 

db                      = data/pytbull.db

urlpdf                  =
https://github.com/sebastiendamaye/public/raw/master/infected/

pdfdir                  = pdf/malicious

pcapdir                 = pcap

tempfile                = /tmp/pytbull.tmp

alertsfile              = /var/log/snort/alert

#alertsfile              = /var/log/suricata/fast.log

[ENV]

sudo                    = /usr/bin/sudo

nmap                    = /usr/bin/nmap

nikto                   = /usr/share/golismero/tools/nikto/nikto.pl

niktoconf               = /usr/share/golismero/tools/nikto/nikto.conf

hping3                  = /usr/sbin/hping3

tcpreplay               = /usr/bin/tcpreplay

ab                      = /usr/bin/ab

ping                    = /bin/ping

ncrack                  = /usr/bin/ncrack

ncrackusers             = /opt/pytbull/data/ncrack-users.txt

ncrackpasswords         = /opt/pytbull/data/ncrack-passwords.txt

localhost               = 127.0.0.1

[FTP]

ftpproto                = ftp

ftpport                 = 21

ftpuser                 = saffy

ftppasswd               = toor

 

And this is the config from Snort:

---------------------------------------------------------------------------

-- Snort++ configuration

---------------------------------------------------------------------------

 

-- there are over 200 modules available to tune your policy.

-- many can be used with defaults w/o any explicit configuration.

-- use this conf as a template for your specific configuration.

 

-- 1. configure environment

-- 2. configure defaults

-- 3. configure inspection

-- 4. configure bindings

-- 5. configure performance

-- 6. configure detection

-- 7. configure filters

-- 8. configure outputs

 

---------------------------------------------------------------------------

-- 1. configure environment

---------------------------------------------------------------------------

 

-- given:

-- export DIR=/install/path

-- configure --prefix=$DIR

-- make install

 

-- then:

-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;

-- export SNORT_LUA_PATH=$DIR/etc/snort

 

-- this depends on LUA_PATH

-- used to load this conf into Snort

require('snort_config')

 

-- this depends on SNORT_LUA_PATH

-- where to find other config files

conf_dir = os.getenv('SNORT_LUA_PATH')

 

if ( not conf_dir ) then

    conf_dir = '.'

end

 

---------------------------------------------------------------------------

-- 2. configure defaults

---------------------------------------------------------------------------

 

-- HOME_NET and EXTERNAL_NET must be set now

-- setup the network addresses you are protecting

HOME_NET = 'any'

 

-- set up the external network addresses.

-- (leave as "any" in most situations)

EXTERNAL_NET = 'any'

 

dofile(conf_dir .. '/snort_defaults.lua')

dofile(conf_dir .. '/file_magic.lua')

 

---------------------------------------------------------------------------

-- 3. configure inspection

---------------------------------------------------------------------------

 

-- mod = { } uses internal defaults

-- you can see them with snort --help-module mod

 

-- mod = default_mod uses external defaults

-- you can see them in snort_defaults.lua

 

-- the following are quite capable with defaults:

 

stream = { }

stream_ip = { }

stream_icmp = { }

stream_tcp = { }

stream_udp = { }

stream_user = { }

stream_file = { }

 

arp_spoof = { }

back_orifice = { }

dnp3 = { }

dns = { }

http_inspect = { }

http2_inspect = { }

imap = { }

modbus = { }

normalizer = { }

pop = { }

rpc_decode = { }

sip = { }

ssh = { }

ssl = { }

telnet = { }

 

dce_smb = { }

dce_tcp = { }

dce_udp = { }

dce_http_proxy = { }

dce_http_server = { }

 

-- see snort_defaults.lua for default_*

gtp_inspect = default_gtp

port_scan = default_med_port_scan

smtp = default_smtp

 

ftp_server = default_ftp_server

ftp_client = { }

ftp_data = { }

 

-- see file_magic.lua for file id rules

file_id = { file_rules = file_magic }

 

-- the following require additional configuration to be fully effective:

 

appid =

{

    -- appid requires this to use appids in rules

    -- app_detector_dir = '/opt/snort/lib',

}

 

--[[

reputation =

{

    -- configure one or both of these, then uncomment reputation

    --blacklist = 'blacklist file name with ip lists'

    --whitelist = 'whitelist file name with ip lists'

}

--]]

 

---------------------------------------------------------------------------

-- 4. configure bindings

---------------------------------------------------------------------------

 

wizard = default_wizard

 

binder =

{

    -- port bindings required for protocols without wizard support

    { when = { proto = 'udp', ports = '53' },  use = { type = 'dns' } },

    { when = { proto = 'tcp', ports = '111' }, use = { type = 'rpc_decode' }
},

    { when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' } },

    { when = { proto = 'tcp', ports = '2123 2152 3386' }, use = { type =
'gtp' } },

 

    { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp'
} },

    { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp'
} },

 

    { when = { service = 'netbios-ssn' },      use = { type = 'dce_smb' } },

    { when = { service = 'dce_http_server' },  use = { type =
'dce_http_server' } },

    { when = { service = 'dce_http_proxy' },   use = { type =
'dce_http_proxy' } },

 

    { when = { service = 'dnp3' },             use = { type = 'dnp3' } },

    { when = { service = 'dns' },              use = { type = 'dns' } },

    { when = { service = 'ftp' },              use = { type = 'ftp_server' }
},

    { when = { service = 'ftp-data' },         use = { type = 'ftp_data' }
},

    { when = { service = 'gtp' },              use = { type = 'gtp_inspect'
} },

    { when = { service = 'imap' },             use = { type = 'imap' } },

    { when = { service = 'http' },             use = { type = 'http_inspect'
} },

    { when = { service = 'http2' },            use = { type =
'http2_inspect' } },

    { when = { service = 'modbus' },           use = { type = 'modbus' } },

    { when = { service = 'pop3' },             use = { type = 'pop' } },

    { when = { service = 'ssh' },              use = { type = 'ssh' } },

    { when = { service = 'sip' },              use = { type = 'sip' } },

    { when = { service = 'smtp' },             use = { type = 'smtp' } },

    { when = { service = 'ssl' },              use = { type = 'ssl' } },

    { when = { service = 'sunrpc' },           use = { type = 'rpc_decode' }
},

    { when = { service = 'telnet' },           use = { type = 'telnet' } },

 

    { use = { type = 'wizard' } }

}

 

---------------------------------------------------------------------------

-- 5. configure performance

---------------------------------------------------------------------------

 

-- use latency to monitor / enforce packet and rule thresholds

latency =

{

    packet = { max_time = 1500 },

    rule = { max_time = 200 },

}

 

-- use these to capture perf data for analysis and tuning

--profiler = { }

--perf_monitor = { }

 

---------------------------------------------------------------------------

-- 6. configure detection

---------------------------------------------------------------------------

 

references = default_references

classifications = default_classifications

 

ips =

{

    -- use this to enable decoder and inspector alerts

    enable_builtin_rules = true,

 

    -- use include for rules files; be sure to set your path

    -- note that rules files can include other rules files

    --include = 'snort3_community.rules'

}

 

-- use these to configure additional rule actions

-- react = { }

-- reject = { }

-- rewrite = { }

 

---------------------------------------------------------------------------

-- 7. configure filters

---------------------------------------------------------------------------

 

-- below are examples of filters

-- each table is a list of records

 

--[[

suppress =

{

    -- don't want to any of see these

    { gid = 1, sid = 1 },

 

    -- don't want to see these for a given server

    { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },

}

--]]

 

--[[

event_filter =

{

    -- reduce the number of events logged for some rules

    { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds
= 10 },

    { gid = 1, sid = 2, type = 'both',  track = 'by_dst', count = 5, seconds
= 60 },

}

--]]

 

--[[

rate_filter =

{

    -- alert on connection attempts from clients in SOME_NET

    { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,

      new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },

 

    -- alert on connections to servers over threshold

    { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,

      new_action = 'alert', timeout = 1 },

}

--]]

 

---------------------------------------------------------------------------

-- 8. configure outputs

---------------------------------------------------------------------------

 

-- event logging

-- you can enable with defaults from the command line with -A <alert_type>

-- uncomment below to set non-default configs

--alert_csv = { }

--alert_fast = { }

--alert_full = { }

--alert_sfsocket = { }

--alert_syslog = { }

--unified2 = { }

 

-- packet logging

-- you can enable with defaults from the command line with -L <log_type>

--log_codecs = { }

--log_hext = { }

--log_pcap = { }

 

-- additional logs

--packet_capture = { }

--file_log = { }

 

 

This is the command I am using to start Snort:

 

sudo /opt/snort/bin/snort -A alert_full -i enp0s3 -c
/opt/snort/etc/snort/snort.lua -R
/opt/snort/etc/snort/rules/snort3-community.rules -s 65535 -k none -l
/var/log/snort -L log_pcap

 

I am running snort v3.0

 

Any help would be greatly appreciated.

 

Kindest Regards

 

Saffy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180522/1e962a54/attachment.html>


More information about the Snort-users mailing list