Snort mailing list archives
RE: No Alerts in Windows w/ Snort 2.20 RC1
From: "Mike" <mike () Novanix com>
Date: Tue, 27 Jul 2004 00:30:10 -0400
Thanks for the suggestions, I tried it with nothing but bin\snort.exe -c etc\snort.conf And it still didn't pick up any of my attempts. I did leave snort running for quite awhile however, and it logged 8 things all the same basically(ips removed): [**] [1:648:7] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 07/26-23:19:00.987642 123.123.123.123:1680 -> 123.123.123.123:135 TCP TTL:119 TOS:0x0 ID:14235 IpLen:20 DgmLen:284 DF ***AP*** Seq: 0x7800A201 Ack: 0xC2E6D411 Win: 0x21FC TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] But this server is getting many attacks, and these are all it picks up. It seemed to load the rules so I don't know what I'm missing.
-----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Monday, July 26, 2004 10:20 PM To: mike () novanix com; snort-users () lists sourceforge net Subject: RE: [Snort-users] No Alerts in Windows w/ Snort 2.20 RC1 Remove all the extra switches and find out which one is causing the problem; my guess would be the -A Kindest regards, Michael... WINSNORT.com Management Team Member -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of mike () novanix com Sent: Monday, July 26, 2004 3:36 PM To: snort-users () lists sourceforge net Subject: [Snort-users] No Alerts in Windows w/ Snort 2.20 RC1 I finally got snort to seem to run fine, however no alerts are being generated when it should be. All there is, is the log file with 0 size. The config file is very similar to the config file I use on my linux boxesandthey all work perfectly. I am not sure what could be wrong. I saw a previous set of messages on the list dealing with logging to an sql database and no alerts, so i am not sure if it is related but that one seemed unresolved (at least in the archives). The following are the specs: Windows Server 2003 Standard Dual XEON 3ghz CPUS (w/ hyperthreading) 2 Gigs of Ram Intel(R) PRO/1000 MT Network Connection Snort 2.20 RC1 - http://www.snort.org/dl/binaries/win32/snort-2_2_0RC1.exeWinPcap 3.0 - http://winpcap.polito.it/install/bin/WinPcap_3_0.exe (Tried latest however gave a dll entry error, saw thread that saidthisworks) LibnetNT the included version (Tried 'upgrading' from url of: http://www.eeye.com/html/Research/Tools/libnetnt.html, however saw no difference minus a runtime error when i killed snort) My command line is: C:\Snort\bin\snort.exe -c "C:\snort\etc\snort.conf" -l "C:\snort\Log" -A full -i 1 -d -e -X I also tried: bin\snort -c c:\snort\etc\snort.conf -A console -b but it doesn't show any alerts to the console or to file. It is definately seeing lots of packets, and I can even see it getting the attack packetIsend: 0x0000: 00 C0 9F 3F 13 53 00 03 31 C5 CC 00 08 00 45 00
...?.S..1.....E.
0x0010: 00 A2 A0 F4 40 00 32 06 26 DB 42 4F BC A0 43 13
....@.2.&.BO..C.
0x0020: 3E 84 D5 89 00 50 A9 11 B7 52 E9 0F 27 90 80 18....P...R..'...0x0030: 16 D0 F3 AC 00 00 01 01 08 0A 0F 42 17 A8 00 00
...........B....
0x0040: 00 00 47 45 54 20 2F 63 6D 64 2E 65 78 65 20 48 ..GET /cmd.exeH0x0050: 54 54 50 2F 31 2E 30 0D 0A 55 73 65 72 2D 41 67 TTP/1.0..User-Ag0x0060: 65 6E 74 3A 20 57 67 65 74 2F 31 2E 38 2E 32 0D ent:
Wget/1.8.2.
However no alert. My rule files are in unix file format, however i switched one to PC and it still didn't pick anything up. For when I run snort with the -A console the output is: Running in IDS mode Log directory = log Initializing Network Interface \Device\NPF_{66C08459-44B6-49F8-B602-E9E0D2731745} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{66C08459-44B6-49F8-B602-E9E0D2731745} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file c:\snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: c:\snort\etc\unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 1768 Snort rules read... 1768 Option Chains linked into 241 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]------------------------------- --- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------- --- | none +-----------------------[thresholding-local]-------------------------------- --- | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 +-----------------------[suppression]--------------------------------------- --- ---------------------------------------------------------------------------- --- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.2.0RC1-ODBC-MySQL-FlexRESP-WIN32 (Build 28) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.x WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) Snort received 36 packets Analyzed: 36(100.000%) Dropped: 0(0.000%)============================================================================ === Breakdown by protocol: TCP: 21 (58.333%) UDP: 4 (11.111%) ICMP: 2 (5.556%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 4 (11.111%) DISCARD: 0 (0.000%)============================================================================ === Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 12 (33.333%) Stream Trackers: 1 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0============================================================================ === Final Flow Statistics pcap_loop: read error: PacketReceivePacket failed ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.161858)/blocks (16972/5) Overhead blocks: 1 Could Hold: (73326) IPV4 count: 4 frees: 0 low_time: 1090880204, high_time: 1090880208,
diff:
0h:00:04s finds: 17 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows:4Protocol: 1 (%5.882353) finds: 1 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 1 Protocol: 6 (%70.000000) finds: 14 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 1 Protocol: 17 (%25.000000) finds: 5 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 2 The snort.conf file #-------------------------------------------------- # http://www.snort.org Snort 2.1.0 Ruleset # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # $Id: snort.conf,v 1.142 2004/03/20 21:58:42 cazz Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect your local network. The # variable is currently setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $<interfacename>_ADDRESS which will be always # initialized to IP address and netmask of the network interface whichyourun # snort at. Under Windows, this must be specified as # $(<interfacename>_ADDRESS), such as: # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET any # Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET any # Configure your server lists. This allows snort to only look forattacksto # systems that have a service up. Why look for HTTP attacks if you are not # running a web server? This allows quick filtering based on IPaddresses# These configurations MUST follow the same configuration scheme as defined # above for $HOME_NET. # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET # Configure your service ports. This allows snort to look for attacks destined # to a specific application only on the ports that application runs on. For # example, if you run a web server on port 8081, set your HTTP_PORTS variable # like this: # # var HTTP_PORTS 8081 # # Port lists must either be continuous [eg 80:8080], or a single port[eg80]. # We will adding support for a real list of ports in the future. # Ports you run web servers on # # Please note: [80,8080] does not work. # If you wish to define multiple HTTP ports, # ## var HTTP_PORTS 80 ## include somefile.rules ## var HTTP_PORTS 8080 ## include somefile.rules var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # other variables # # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of servers. var AIM_SERVERS[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files (this can be a relative path) var RULE_PATH c:\snort\rules # Configure the snort decoder # ============================ # # Snort's decoder will alert on lots of things such as header # truncation or options of unusual length or infrequently used tcpoptions# # # Stop generic decode events: # # config disable_decode_alerts # # Stop Alerts on experimental TCP options # config disable_tcpopt_experimental_alerts # # Stop Alerts on obsolete TCP options # config disable_tcpopt_obsolete_alerts # # Stop Alerts on T/TCP alerts # # In snort 2.0.1 and above, this only alerts when a TCP option isdetected# that shows T/TCP being actively used on the network. If this isnormal# behavior for your network, disable the next option. # # config disable_tcpopt_ttcp_alerts # # Stop Alerts on all other TCPOption type events: # config disable_tcpopt_alerts # # Stop Alerts on invalid ip options # # config disable_ipopt_alerts # Configure the detection engine # =============================== # # Use a different pattern matcher in case you have a machine with very limited # resources: # # config detection: search-method lowmem ################################################### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor <name_of_processor>: <configuration_options> # Configure Flow tracking module # ------------------------------- # # The Flow tracking module is meant to start unifying the state keeping # mechanisms of snort into a single place. Right now, only a portscan detector # is implemented but in the long term, many of the stateful subsystemsof# snort will be migrated over to becoming flow plugins. This must be enabled # for flow-portscan to work correctly. # # See README.flow for additional information # preprocessor flow: stats_interval 0 hash 2 # frag2: IP defragmentation support # ------------------------------- # This preprocessor performs IP defragmentation. This plugin will also detect # people launching fragmentation attacks (usually DoS) against hosts.No# arguments loads the default configuration of the preprocessor, whichisa 60 # second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 # timeout [seconds] - sets the number of [seconds] that an unfinished # fragment will be kept around waiting for completion, # if this time expires the fragment will beflushed# memcap [bytes] - limit frag2 memory usage to [number] bytes # (default: 4194304) # # min_ttl [number] - minimum ttl to accept # # ttl_limit [number] - difference of ttl to accept without alerting # will cause false positves with router flap # # Frag2 uses Generator ID 113 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Oversized fragment (reassembled frag > 64k bytes) # 2 Teardrop-type attack preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat stick/snot # against TCP rules. Also performs full TCP stream reassembly, stateful # inspection of TCP streams, etc. Can statefully detect variousportscan# types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - turn off the possibly noisy mitigation of # overlapping sequences. # # # min_ttl [number] - set a minium ttl that snort will accept to # stream reassembly # # ttl_limit [number] - differential of the initial ttl on asessionversus # the normal that someone may be playing games. # Routing flap may cause lots of false positives. # # keepstats [machine|binary] - keep session statistics, add "machine"to# get them in a flat format for machine reading, add # "binary" to get them in a unified binaryoutput# format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream thisoptionwill # cause all packets that are stored in thestream4# packet buffers to be flushed to disk. Thisonly# works when logging in pcap mode! # # Stream4 uses Generator ID 111 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Stealth activity # 2 Evasive RST packet # 3 Evasive TCP packet retransmission # 4 TCP Window violation # 5 Data on SYN packet # 6 Stealth scan: full XMAS # 7 Stealth scan: SYN-ACK-PSH-URG # 8 Stealth scan: FIN scan # 9 Stealth scan: NULL scan # 10 Stealth scan: NMAP XMAS scan # 11 Stealth scan: Vecna scan # 12 Stealth scan: NMAP fingerprint scan stateful detect # 13 Stealth scan: SYN-FIN scan # 14 TCP forward overlap preprocessor stream4: disable_evasion_alerts detect_scans ttl_limit 6 # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage ofstream4# ports [list] - use the space separated list of ports in [list],"all"# will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble # http_inspect: normalize and detect HTTP traffic and protocol anomalies # # lots of options available here. See doc/README.http_inspect. # unicode.map should be wherever your snort.conf lives, or given # a full path to where snort can find it. preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 # # Example unqiue server configuration # #preprocessor http_inspect_server: server 1.1.1.1 \ # ports { 80 3128 8080 } \ # flow_depth 0 \ # ascii no \ # double_decode yes \ # non_rfc_char { 0x00 } \ # chunk_length 500000 \ # non_strict \ # oversize_dir_length 300 \ # no_alerts # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual 4-byteencoding# that is used by default. This plugin takes the port numbers that RPC # services are running on as arguments - it is assumed that the given ports # are actually running this type of service. If not, change the ports or turn # it off. # The RPC decode preprocessor uses generator ID 106 # # arguments: space separated list # alert_fragments - alert on any rpc fragmented TCP data # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet # no_alert_large_fragments - don't alert when the fragmented # sizes exceed the current packet size # no_alert_incomplete - don't alert when a single segment # exceeds the current packet size preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. Takes no arguments in2.0.# # The Back Orifice detector uses Generator ID 105 and uses the # following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Back Orifice traffic detected preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp # traffic. It works in much the same way as the http_decodepreprocessor,# searching for traffic that breaks up the normal data stream of a protocol and # replacing it with a normalized representation of that traffic so that the # "content" pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. # Portscan uses Generator ID 109 and does not generate any SID
currently.
preprocessor telnet_decode # Flow-Portscan: detect a variety of portscans # --------------------------------------- # Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to # work. # # This module detects portscans based off of flow creation in the flow # preprocessors. The goal is to catch catch one->many hosts and one- many # ports scans. # # Flow-Portscan has numerous options available, please read # README.flow-portscan for help configuring this option. # Flow-Portscan uses Generator ID 121 and uses the following SIDS forthatGID: # SID Event description # ----- ------------------- # 1 flow-portscan: Fixed Scale Scanner Limit Exceeded # 2 flow-portscan: Sliding Scale Scanner Limit Exceeded # 3 flow-portscan: Fixed Scale Talker Limit Exceeded # 4 flow-portscan: Sliding Scale Talker Limit Exceeded # preprocessor flow-portscan: \ # talker-sliding-scale-factor 0.50 \ # talker-fixed-threshold 30 \ # talker-sliding-threshold 30 \ # talker-sliding-window 20 \ # talker-fixed-window 30 \ # scoreboard-rows-talker 30000 \ # server-watchnet [10.2.0.0/30] \ # server-ignore-limit 200 \ # server-rows 65535 \ # server-learning-time 14400 \ # server-scanner-limit 4 \ # scanner-sliding-window 20 \ # scanner-sliding-scale-factor 0.50 \ # scanner-fixed-threshold 15 \ # scanner-sliding-threshold 40 \ # scanner-fixed-window 15 \ # scoreboard-rows-scanner 30000 \ # src-ignore-net [192.168.1.1/32,192.168.0.0/24] \ # dst-ignore-net [10.0.0.0/30] \ # alert-mode once \ # output-mode msg \ # tcp-penalties on # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To makeuseof # this preprocessor you must specify the IP and hardware address ofhostson # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP requestdetection.# Arpspoof uses Generator ID 112 and uses the following SIDS for thatGID:# SID Event description # ----- ------------------- # 1 Unicast ARP request # 2 Etherframe ARP mismatch (src) # 3 Etherframe ARP mismatch (dst) # 4 ARP cache overwrite attack #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # Performance Statistics # ---------------------- # Documentation for this is provided in the Snort Manual. You shouldreadit. # It is included in the release distribution as doc/snort_manual.pdf # # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. General # configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also optionally # specify a particular hostname/port. Under Win32, the default hostname is # '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: tcpdump.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output database: log, oracle, dbname=snort user=snort password=test # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging and generating # alerts from Snort, the "unified" format. The unified format is a straight # binary format for logging data out of Snort that is designed to befastand # efficient. Used with barnyard (the new alert/log processor), most of the # overhead for logging and alerting to various slow storage mechanisms such as # databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 # You can optionally define new rule types and associate one or more output # plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog and amysql# database: # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost # } # # EXAMPLE RULE FOR REDALERT RULETYPE: # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ # (msg:"Someone is being LEET"; flags:A+;) # # Include classification & priority settings # include classification.config # # Include reference systems # include reference.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your owncustomsnort # rules. # # The rules included with this distribution generate alerts based on on # suspicious activity. Depending on your network environment, your security # policies, and what you consider to be suspicious, some of these rules may # either generate false positives ore may be detecting activity you consider to # be acceptable; therefore, you are encouraged to comment out rules that are # not applicable in your environment. # # The following individuals contributed many of rules in this distribution. # # Credits: # Ron Gula <rgula () securitywizards com> of Network Security Wizards # Max Vision <vision () whitehats com> # Martin Markgraf <martin () mail du gtn com> # Fyodor Yarochkin <fygrave () tigerteam net> # Nick Rogness <nick () rapidnet com> # Jim Forster <jforster () rapidnet com> # Scott McIntyre <scott () whoi edu> # Tom Vandepoel <Tom.Vandepoel () ubizen com> # Brian Caswell <bmc () snort org> # Zeno <admin () cgisecurity com> # Ryan Russell <ryan () securityfocus com> #========================================= # Include all relevant rulesets here # # The following rulesets are disabled by default: # # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, # chat, multimedia, and p2p # # These rules are either site policy specific or require tuning in order to not # generate false positive alerts in most enviornments. # # Please read the specific include file for more information and # README.alert_order for how rule ordering affects how alerts are triggered. #========================================= include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules # Include any thresholding or suppression commands. See threshold.confinthe # <snort src>/etc directory for details. Commands don't necessarily need to be # contained in this conf, but a separate conf makes it easier tomaintainthem. # Uncomment if needed. # include threshold.conf config event_queue: log 2 ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No Alerts in Windows w/ Snort 2.20 RC1 mike (Jul 26)
- RE: No Alerts in Windows w/ Snort 2.20 RC1 Michael Steele (Jul 26)
- <Possible follow-ups>
- RE: No Alerts in Windows w/ Snort 2.20 RC1 Mike (Jul 26)