Snort mailing list archives
Snort's configuration.Thanks!!!
From: "Santi Benito" <benisoroa () gmail com>
Date: Thu, 4 May 2006 15:25:15 +0200
Hi! First of all thank you for your preocupation, this is the information that you ask for. The email is a little bit large, I hope it doesn't bore you. What version of Snort are you running? What version of libpcap are you running? Please cut and paste your command line here. Please cut and paste your snort.conf here (please remove anything identifiable as internal.. eg. passwords, home_net..etc.) Please tell us about your network configuration Please tell us your hardware configuration. Thank you Joel and rmkml for your desinterested help The next lines are the response to this questions: •Configuration del SNORT: dpkg –l | grep snort Version Snort: 2.3.3-2.1 •Version kernel: uname –a Version kernel: 2.6.13.4 •Version libpcap: dpkg –l | grep libpcap ii libpcap0.7 0.7.2-7 System interface for user-lev ii libpcap0.8 0.9.4-1 System interface for user-lev But I really don´t know what of both is Snort using…and also don´t know how to change it…. •Command line of Snort: sudo snort -b -i eth1 -c /etc/snort/snort.conf -l /etc/snort/ santi_prueba •Snort.conf I have a conventional configuration file, I will send you all of it unless the comments with # of the conventional snort.conf that becomes by default. #-------------------------------------------------- # $Id: snort.conf,v 1.144.2.11 2005/04/22 19:15:49 jhewlett Exp $ # ################################################### # Step #1: Set the network variables: var HOME_NET any #it is written like this because I want to analyze all the packets that I replay from the source # Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules # config detection: search-method lowmem ################################################### # Step #2: Configure preprocessors preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } preprocessor xlink2state: ports { 25 691 } #################################################################### # Step #3: Configure output plugins output log_tcpdump: tcpdump.log include classification.config include reference.config #################################################################### # Step #4: Configure snort with config statements # # See the snort manual for a full set of configuration references config flowbits_size: 256 ¿Here do I have to write something for the memcap? #################################################################### # Step #5: Customize your rule set # include $RULE_PATH/p2p.rules include threshold.conf •Network configuration: My network configuration is very special, I only have two computers, that are connected by eth1, the Ethernet card is Gb Ethernet card. I replay some files from one to another and I analyze how many packets are dropped in the destination computer. That's my main problem, as I increase replaying rate, the packets that are dropped increase also amazingly and I don´t know why this drop number increases so much. •Hardware configuration: • command lspci –v RAID bus controller: Silicon Image, Inc. (formerly CMD Technology Inc) SiI 3114 [SATALink/SATARaid] Serial ATA Controller (rev 02) Subsystem: Asustek Computer, Inc.: Unknown device 8167 Flags: bus master, 66MHz, medium devsel, latency 32, IRQ 5 I/O ports at 9000 [size=8] I/O ports at 9400 [size=4] I/O ports at 9800 [size=8] I/O ports at 9c00 [size=4] I/O ports at a000 [size=16] Memory at d9004000 (32-bit, non-prefetchable) [size=1K] Expansion ROM at 40000000 [disabled] [size=512K] Ethernet controller: Marvell Technology Group Ltd. Yukon Gigabit Ethernet 10/100/1000Base-T Adapter (rev 13) Subsystem: Asustek Computer, Inc.: Unknown device 811a Flags: bus master, 66MHz, medium devsel, latency 32, IRQ 3 Memory at d9000000 (32-bit, non-prefetchable) [size=16K] I/O ports at a400 [size=256] Expansion ROM at 40080000 [disabled] [size=128K] •command cat /proc/…. cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 15 model : 47 model name : AMD Athlon(tm) 64 Processor 3500+ stepping : 2 cpu MHz : 2211.520 cache size : 512 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes meminfo MemTotal: 905476 kB MemFree: 360080 kB Buffers: 127472 kB Cached: 255772 kB ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort's configuration.Thanks!!! Santi Benito (May 04)
- Re: Snort's configuration.Thanks!!! Jason Brvenik (May 05)