Snort mailing list archives
RE: Help! Snort is not... snorting!!!
From: "Neal Timm" <ntimm () austin rr com>
Date: Fri, 31 Aug 2001 01:13:52 -0500
I updated my libpcap to 0.6.2 and recompiled snort and it is now working but had the same problem originally. make sure if you install libpcap from source you either specify /usr/lib as bin directory or put /usr/local/lib/ in /etc/ld.so.conf file and run ldconfig. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of g.carabetta () abi it Sent: Thursday, August 30, 2001 09:34 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Help! Snort is not... snorting!!! I've just upgraded snort to 1.8.1-RELEASE. I make (from Internet) an nmap nmap -sS xxx.xxx.xx.2 - (try directly the firewall public ip: is the port on which snort is active.) an I cannot see anything in log files. Here is my snort.conf #-------------------------------------------------- # http://www.snort.org Snort 1.8.0 Ruleset # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # NOTE:This ruleset only works for 1.8.0 and later #-------------------------------------------------- # $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your # own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $<interfacename>_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: #var HOME_NET any var HOME_NET [xxx.xxx.xx.0/24,192.168.1.0/24,192.168.20.0/24,192.168.10.0/24,192.168.40.0 /24,192.168.92.0/24] # Set up the external network addresses as well. # A good start may be "any" #var EXTERNAL_NET any var EXTERNAL_NET xxx.xxx.xx.2/32 # Set up your SMTP servers, or simply configure them # to HOME_NET var SMTP $HOME_NET # Set up your web servers, or simply configure them # to HOME_NET #var HTTP_SERVERS $HOME_NET var HTTP_SERVERS xxx.xxx.xx.0/24 # Set up your sql servers, or simply configure them # to HOME_NET var SQL_SERVERS $HOME_NET # Define the addresses of DNS servers and other hosts # if you want to ignore portscan false alarms from them... #var DNS_SERVERS $HOME_NET var DNS_SERVERS [192.168.92.1/32,192.168.10.1/32,192.168.1.1/32,xxx.xxx.xx.4/32] ################################################### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor <name_of_processor>: <configuration_options> # minfrag: detect small fragments # ------------------------------- # minfrag has been deprecated as of build 26 # defrag: defragmentation support # ------------------------------- # IP defragmentation support from Dragos Ruiu. There # are no configuration options at this time. #preprocessor defrag preprocessor frag2 # stream2: TCP stream reassembly # ------------------------------------- # TCP stream reassembly preprocessor from Chris Cramer. # This preprocessor should always go after the defrag # preprocessor, but before application layer decoders. # The example below monitors ports 23 and 80, has a # timeout after 10 seconds, and will send reassembled # packets of max payload 16384 bytes through the # detection engine. See README.tcpstream for more # information and configuration options. Uncomment # the following line and configure appropriately to # enable this preprocessor. # # NOTE: This code should still be considered BETA! # It seems to be stable, but there are still some # issues that remain to be resolved, so make sure you # keep an eye on your Snort sensor if you enable this plugin # The older version which definitely had issues w/ packet # loss is still in the code base, to use it in place of the # new version, use "preprocessor stream: ..." #preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8MB) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # keepstats [machine] - keep session statistics, add "machine" to get them in # a flat format for machine reading # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes preprocessor stream4: detect_scans # tcp stream reassembly directive # no arguments loads the default configuration (clientonly, ports default, # alerts on) # options (still comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble # http_decode: normalize HTTP requests # ------------------------------------ # http_decode normalizes HTTP requests from remote # machines by converting any %XX character # substitutions to their ASCII equivalent. This is # very useful for doing things like defeating hostile # attackers trying to stealth themselves from IDSs by # mixing these substitutions in with the request. # Specify the port numbers you want it to analyze as arguments. # You may also specify -unicode to turn off detection of # UNICODE directory traversal, etc attacks. Use -cginull to # turn off detection of CGI NULL code attacks. preprocessor http_decode: 80 -unicode -cginull # unidecode: normalize HTTP/detect UNICODE attacks # ------------------------------------------------ # Works much the same as http_decode, but does a better # job of categorizing and identifying UNICODE attacks, # recommended as a potential replacement for http_decode. # preprocessor unidecode: 80 -unicode -cginull # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual # 4-byte encoding that is used by default. This preprocessor # normalized RPC traffic in much the same way as the http_decode # preprocessor. This plugin takes the ports numbers that RPC # services are running on as arguments. preprocessor rpc_decode: 111 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. This preprocessor # uses the Back Orifice "encryption" algorithm to search for # traffic conforming to the Back Orifice protocol (not BO2K). # This preprocessor can take two arguments. The first is "-nobrute" # which turns off the plugin's brute forcing routine (brute forces # the key space of the protocol to find BO traffic). The second # argument that can be passed to the routine is a number to use # as the default key when trying to decrypt the traffic. The # default value is 31337 (just like BO). Be aware that turning on # the brute forcing option runs the risk of impacting the overall # performance of Snort, you've been warned... preprocessor bo: -nobrute # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from # telnet and ftp traffic. It works in much the same way as the # http_decode preprocessor, searching for traffic that breaks up # the normal data stream of a protocol and replacing it with # a normalized representation of that traffic so that the "content" # pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. preprocessor telnet_decode # portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. preprocessor portscan: $HOME_NET 4 3 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical # to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks # in a whitespace-delimited list. # #preprocessor portscan-ignorehosts: $DNS_SERVERS # Spade: the Statistical Packet Anomaly Detection Engine #------------------------------------------------------- # READ the README.Spade file before using this plugin! # # See http://www.silicondefense.com/spice/ for more info # # Spade is a Snort plugin to report unusual, possibly # suspicious, packets. Spade will review the packets # received by Snort, find those of interest (TCP SYNs # into your homenets, if any), and report those packets # that it believes are anomalous along with an anomaly # score. To enable spp_anomsensor, you must have a # line of this form in your snort configuration file: # # preprocessor spade: <anom-report-thresh> <state-file> # <log-file> <prob-mode> <checkpoint-freq> # # set this to a directory Spade can read and write to # store its files # # var SPADEDIR . # # preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 # # put a list of the networks you are interested in Spade observing packets # going to here # # preprocessor spade-homenet: 0.0.0.0/0 # # this causes Spade to adjust the reporting threshold automatically # the first argument is the target rate of alerts for normal circumstances # (0.01 = 1% or you can give it an hourly rate) after the first hour (or # however long the period is set to in the second argument), the reporting # threshold given above is ignored you can comment this out to have the # threshold be static, or try one of the other adapt methods below # preprocessor spade-adapt3: 0.01 60 168 # # other possible Spade config lines: # adapt method #1 #preprocessor spade-adapt: 20 2 0.5 # adapt method #2 #preprocessor spade-adapt2: 0.01 15 4 24 7 # offline threshold learning #preprocessor spade-threshlearn: 200 24 # periodically report on the anom scores and count of packets seen #preprocessor spade-survey: $SPADEDIR/survey.txt 60 # print out known stats about packet feature #preprocessor spade-stats: entropy uncondprob condprob # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # directed ARP requests, and specific ARP mapping monitoring. Takes a # "-directed" option to turn on directed ARP request detection. preprocessor arpspoof #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. # General configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments # output alert_syslog: LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: snort.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # xml: xml logging # ---------------- # See the README.xml file for more information about configuring # and using this plugin. # # output xml: log, file=/var/log/snortxml # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with the upcoming tool "barnyard", most of the overhead for # logging and alerting to various slow storage mechanisms such # as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # output alert_unified: snort.alert # output log_unified: snort.log # trap_snmp: SNMP alerting for Snort # ------------------------------------------------------------- # Read the README-SNMP file for more information on enabling and using this # plug-in. # # # The SnmpTrapGenerator outputplugin requires several parameters # The parameters depend on the Snmpversion that is used (specified) # For the SNMPv2c case the paremeters will be as follows # alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber> # <hostName> <community> # # For SNMPv2c traps # #output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener myCommunity # # For SNMPv2c informs #output trap_snmp: alert, 7, inform -v 2c -p 162 myTrapListener myCommunity # # For SNMPv3 traps with # security name = snortUser # security level = authentication and privacy # authentication parameters : # authentication protocol = SHA , # authentication pass phrase = SnortAuthPassword # privacy (encryption) parameters # privacy protocol = DES, # privacy pass phrase = SnortPrivPassword # #output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener #For SNMPv3 informs with authentication and encryption #output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog # and a mysql database. # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost # } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \ # flags:A+;) # # Include classification & priority settings # include classification.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at the following web sites: # http://www.snort.org # http://www.whitehats.com # # The snort web site has documentation about how to # write your own custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula <rgula () securitywizards com> of Network Security Wizards # Max Vision <vision () whitehats com> # Martin Markgraf <martin () mail du gtn com> # CyberPsychotic <fygrave () tigerteam net> # Nick Rogness <nick () rapidnet com> # Jim Forster <jforster () rapidnet com> # Scott McIntyre <scott () whoi edu> # Tom Vandepoel <Tom.Vandepoel () ubizen com> # Brian Caswell <bmc () mitre org> #========================================= # Include all relevant rulesets here # by default policy, info, and virus # rulesets are disabled #========================================= include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include sql.rules include x11.rules include icmp.rules include shellcode.rules include misc.rules include policy.rules include info.rules include local.rules _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help! Snort is not... snorting!!! g . carabetta (Aug 30)
- RE: Help! Snort is not... snorting!!! Neal Timm (Aug 31)