Snort mailing list archives
New FAQ in cvs....
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 13 Aug 2001 07:02:17 -0700
Here is a patch that shows FAQ changes... --- FAQ-v1.8.1 Sat Aug 11 05:08:24 2001 +++ FAQ Mon Aug 13 07:01:33 2001 @@ -1,4 +1,4 @@ -SNORT FAQ Version 1.8 - July 10 2001 v1.8.1 +SNORT FAQ Version 1.8.1' - 13 August 2001 Suggestions for enhancements of this document are always welcome please email them to Dragos Ruiu at @@ -18,10 +18,25 @@ Roman Danyliw Christopher Cramer Frank Knobbe +Phil Wood +Toby Kohlenberg +Ramin Alidousti +Jim Hankins +Dennis Hollingworth +Paul Howell +Erek Adams +Stef Mit +Ofir Arkin +Jason Haar +Blake Frantz +Lars Norman Søndergaard +Brent Erickson -Frequently Asked Questions about "snort" +----------------------------------------------------------------------------- +Frequently Asked Questions about "snort" + Section 1: Snort Background -------------------------- @@ -68,6 +83,8 @@ 3.12 Q: Which takes precedence, commandline or rule file ? 3.13 Q: How does rule ordering work? 3.14 Q: How do I configure stream4? +3.15 Q: Where does one obtain new/modifed rules? How do you merge them in? +3.16 Q: How do you get the latest snort via cvs? Section 4: Snort Rules and Alerts --------------------------------- @@ -88,6 +105,7 @@ 4.15 Q: What about 'SMB Name Wildcard' alerts? 4.16 Q: What the heck is a SYNFIN scan? 4.17 Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte attack detected" false positives. How can I turn this detection off? +4.18 Q: How do I test snort alerts and logging? Section 5: Getting Fancy @@ -100,6 +118,7 @@ 5.6 Q: Snort complains about the "react" keyword... 5.7 Q: How do I get snort to e-mail me alerts? 5.8 Q: How do I log a specific type of traffic and send alerts to syslog? +5.9 Q: Is it possible to have snort call an external program when an alert is raised? Section 6: Problems ------------------- @@ -124,7 +143,8 @@ 6.17 Q: Snort is not logging to syslog 6.18 Q: I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERs var 6.19 Q: Why chrooted snort die when I send it a SIGHUP? - +6.20 Q: My snort crashes, how do I restart it? +6.21 Q: Why can't snort see one of either the 10Mbps or 100Mbps traffic on my autoswitch hub --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- @@ -154,6 +174,8 @@ A: http://lists.sourceforge.net/mailman/listinfo/snort-users + Also look in the USAGE file in the distribution. + 1.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Where can I get more reading and courses about IDS? @@ -180,7 +202,10 @@ 1.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Does Snort handle IP defragmentation? -A: Yes, use "preprocessor defrag" +A: Yes, use "preprocessor frag2" or "preprocessor defrag" or "preprocessor defrag2" + + Each has slightly different capabilities. + Snort also currently has the "minfrag" rule option available that looks for tiny fragments and can generate alerts based upon the size of the fragments alone. This is a valid strategy because there is virtually no commercially @@ -198,13 +223,11 @@ session loggin, tcp reassembly and much much more... Check the FAQ question on configuring stream4. - 1.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Does Snort perform stateful protocol analysis? A: Yes, see above answer regarding stream4 preprocessor - 1.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: I'm on a switched network, can I still use Snort? @@ -830,8 +853,32 @@ the integrated system to enable higer performance implementations of Snort. ---faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- +3.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- +Q: Where does one obtain new/modifed rules? How do you merge them in? + +A: New rules can be downloaded via CVS (See next question) or alternatively + may be found at www.snort.org and snort.sourcefire.com. There is + a mailing list dedicated to snort rules, called appropriately enough + snort-rules hosted at sourceforge. + + to merge in new rules check out the snortpp program in the contribr + directory. + +3.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- +Q: How do you get the latest snort via cvs? + +A: The snoRt project's SourceForge CVS repository can be checked outr + through anonymous (pserver) CVS with the following instruction set. + The module you wish to check out must be specified as the modulename.r + When prompted for a password for anonymous, simply press the Enter key. + + cvs -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort login + + cvs -z3 -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort co modulename + Updates from within the module's directory do not need the -d parameter. + + @@ -925,8 +972,73 @@ 4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? -A: They are failed connections ICMP unreach packet carries first 64 - bytes of the original datagram. +A: ICMP is the acronym for Internet Control Message Protocol + They are failed connections ICMP unreach packet carries first 64 + bits(8bytes) or more of the original datagrami and the original IP header. + + The ICMP Destination Unreachable (message type 3) is sent back to the + originator when an IP packet could not be delivered to the destination + address. The ICMP Code indicates why the packet could not be delivered. + The original codes are: + 0 net unreachable + 1 host unreachable + 2 protocol unreachable + 3 port unreachable + 4 fragmentation needed and DF bit set + 5 source route failed + + + As far as why... "it all depends..." + + ICMP Unreachable Error Messages are divided into two groups: + - ICMP Unreachable Error Messages issued by routers (all 16 of them) + - ICMP Unreachable Error Messages issued by a Host (only 2) + + What are the only 2 issued by a host? + ICMP Port Unreachable - the destination port on the targeted host is + closed (a.k.a. not in a listening state). + ICMP Protocol Unreachable - the protocol we were trying to use is not + being used on the targeted host. + + + Both ICMP Type field and Code field indicates why the packets could + not be delivered. Some snort ICMP alerts" are informational like the ICMP + alerts found in icmp-info.rules. At this time there are no references + or even classtypes associated with these rules. + + Other rules are more likely to be associated with untoward activity. For + example, in icmp.rules you will find: + + alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; + content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158; + classtype:attempted-recon; sid:465; rev:1;) + + which has a reference where the importance might be determined by checking + out the aracnids reference. The classtype may indicate more or + less the relative importance of the event. + + When a destination UDP port is closed on the targeted host, a.k.a. not + in a listening state, the targeted host will issue an ICMP Port Unreachable + error message back to the offending packets source IP address, given in + the query. Some programs use these messages, like traceroute with *nix + based machines. Windows based machines (tracert) will default to + ICMP Echo requests... + + For further information about this see + IP ftp://ftp.isi.edu/in-notes/rfc791.txt + ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt + TCP ftp://ftp.isi.edu/in-notes/rfc793.txt + UDP ftp://ftp.isi.edu/in-notes/rfc768.txt + + and + + http://www.iana.org/assignments/icmp-parameters + + Actually, putting this URL somewhere handy is a good idea: + + http://www.iana.org/ + + There is also a good ICMP paper on http://www.sys-security.com/ 4.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set? @@ -1035,6 +1147,26 @@ preprocessor http_decode: 80 8080 -unicode -cginull + Your own internal users normal surfing can trigger these alerts in the + preprocessor. Netscape in particular has been known to trigger them. + + Instead of disabling them,try a BPF filter to ignore your outbound http + traffic such as: + + snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80) + + This has worked very well for us over a period of 5-6 months and Snort is + still very able to decode actual and dangerous cgi null and unicode attacks + on our public web servers. + + +4.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- +Q: How do I test snort alerts and logging? + +A: Try a rule that will fire off all the time like: + + alert tcp any any -> any any (msg:"TCP traffic";) + --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- @@ -1182,7 +1314,26 @@ > Just my $0.02. > - + Danger Will Robinson: Conventional wisdom says that + auto-blocking is inherently dangerous. + + However, for those that like to live at the + bleeding edge of tech (and the separate + process scanning logs and processing + firewall commands sounds like a good + way to do this...): + + Please remember to include an exclusion list and put + on them important sites such as root servers, other + important dns servers (yours, and important sites for + your users), and in general any host you don't want + to receive phone calls about being DoSed when + they are spoofed - usually inconveniently like that + first time you actually manage to get on vacation.... + (i.e. imagine "Crisis: the ceo can't reach his favorite + redlite.org game.... you have to fly back from the + carribean asap....") + 5.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort complains about the "react" keyword... @@ -1212,6 +1363,33 @@ Then just do a telnet and type 'redalerttest'. Presto, alerts to both. + +5.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- +Q: Is it possible to have snort call an external program when an alert is raised? + + Calling another program from within your main IDS loop is + generally a bad idea. Having your IDS block while waiting + for <something> of dubious reliability and origin nevermind + timing while the packets are piling up is inviting packet loss. + Especially with the already oh-so-consistent "Gee I think + I'll go away for a minute" rock steady even cpu slicing + Windows gives you (that's sarcasm, sorry). Go with the + second approach.... process invokation is expensive on + Windows. + + You want to keep that IDS task humming and munching + packets as efficiently as possible with as few interruptions + as possible, imho, and not be invoking the penalty of + process invocation.... particularly on Windows where + process invocation is much much heavier task than *nix. + + Even in a secondary process... You'll probably find + something that stays "awake" all the time will work out + much more nicely than something that gets "woken up" + on a per alert basis for the aforementioned reasons. + + As a better alternative go check out swatch or logwatch. + --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- *************************************** @@ -1309,7 +1487,9 @@ A: The Linux IP stack doesn't report lost packet stats. This may be changing in version 2.4 of Linux, but for now you just don't get them. Try one - of the BSDs, they work just fine. + of the BSDs, they work just fine. This also has been recently fixed with + the 2.4 kernel in the new version of libpcap... upgrade kernels and libpcap + and it should now work. 6.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: My /var/log/snort directory get very large..... @@ -1551,6 +1731,117 @@ A: It's a known problem with permissions. Workaround, restart snort instead. + But the short answer is this: Due to the way the execv(2) call works, it + "Restarts" snort from scratch. This has the odd side effect of making HUPS to + a chrooted snort become recursive. For example, chroot to /snort. It now + sees /snort as / . Now HUP snort. Snort now expects to have /snort/snort as + / . In other words, you have to re-create your directories for your jail + inside it. 4 HUPS and you will be in /snort/snort/snort/snort . *bleh* + + +6.20 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- +Q: My snort crashes, how do I restart it? + +A: Try this shell script or daemontools + +#!/bin/sh +#snorthup: Snort Restarter and Crash Logger +#(dr () kyx net with help from kmaxwell () superpages com) +$conf = "snort.conf" +for $IFACE in fxp0 fxp1 +do + if [ -f /var/run/snort_$IFACE.pid ]; then + if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then + /usr/bin/logger -p user.notice snorthup: removing bogus pidfile + /usr/bin/logger -p user.notice snorthup: restarting absentee snort on $IFACE with conf file $i + rm -f /var/run/snort_$IFACE.pid + /usr/local/bin/snort -D -c $conf -i $IFACE + fi; + else + /usr/bin/logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf + /usr/local/bin/snort -D -c $conf -i $IFACE + fi +done + +6.21 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- +Q: Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub + + Basically it's a function of the design and all autoswitching hubs will behave + in this way. It's the result of just not being able to stuff all the 100 Mbps + traffic into the 10Mbps CSMA/CD. One solution I use to the problem is + these new cheapie four port switches... put all the 10Mbps on it's own + hub/switch/whatever and then route that to the 100Mbps hub I use for monitoring + but put a cheapie switch in between that works as an adapter basically + mediating the 10 up to 100 and vice versa. + + + The bad thing about hubs that _don't_ have this "feature", is that + in order to support 10bt devices, they throttle the entire hub speed + down to 10bt if there is one or more 10bt only devices hooked up to it. + I have seen this behavior (and did the bandwidth tests to proove it) on + old 3com office connect 10/100 hubs (newer ones do the 2 hubs with a switch + thing.) So, the point of what I am saying is, since these old hubs have + no switching capabilities, and they don't know which port the traffic is + supposed to go to (no switch=no arp table), they have to throttle bandwidth. + + None of the hubs and switches have any significant amount of storage + on the ethernet chip sets, and therefore _any_ non-layer-three box that + has 100 -> 10 capability can only handle small amounts of traffic before + the chip set drops incoming packets on the floor. Guess one might call + that throttled bandwidth, but at the expense of retransmission timeouts + and retransmissions at the end nodes. + + If the box has a backplane, multiple cards and some network management + functions, there is a higher _probability_ the manufacturer has some + additional buffering going on to keep dropped packets from happening + on at least small bursts of traffic. + + In the most generic of terms, if a box supports 100 "full-duplex", then + its a switch (regardless of what the manufacturer calls it). If it + supports 100 -> 10, there is 50-50 chance the box has some MAC address + awareness. If a box only supports 10 -> 10 or 100 -> 100, there is a + high probability it is not MAC address aware and therefor functions + like a hub. + + Many hubs have different back planes, ie one for 10 one for 100. + + From a definition standpoint, a hub segment whether it be 10 or 100 is + a single broadcast/collision domain. You will not see ANY traffic + between segements without a bridge or layer3 route function between + them. + + In a switched environment, typically each port is a separate collision + domain but one big broadcast domain. VLANs can be created in some to + separate into separate broadcast domains and some have built in layer + 3 functionality which basically connects a router into the backplane + so that it can route between vlans at wire speed. + + Think of a switch as a bridge with many ports. (that's what it is). + Some switches support port mirroring or span ports. When you want to + "sniff" frames in a switched environment (beyond just + broadcast/multicast traffic) you need to be able to "see" the unicast + traffic (telnet,http for example). You set up a port to mirror + traffic from the ports that have the devices your interested in to the + port you have your analysis device plugged into. Without doing so, + you don't see the unicast conversations because the traffic is getting + "switched" accross the backplane so pc on port 1 talks to server on + port 2 and no other ports get this traffic. If server on port 2 + broadcasts or multicasts, the information is flooded out all ports. + (multicast can be controlled on some switches so only those ports that + have listening stations get the traffic. Not all switches have these + capabilities. + + An excellent book on the topic is Interconnections by Radia Perlman. + (Bridges and Routers). + + Additional caveat: if you deal with full duplex on a switched port, + only a tap would save you - users have succesfully used Shomiti's + ones on 100MB FD ports, and used two Snort instances, capturing + traffic on both directions. Port mirroring didn't work in that case ... + --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- ---END OF FAQ v1.8-- +--END OF FAQ v1.8.1-- + + + _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New FAQ in cvs.... Dragos Ruiu (Aug 13)