Snort mailing list archives
Re: 2.8.4 and ssh preprocessor
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Fri, 10 Apr 2009 12:45:35 -0400
Known issue. The SSH pre-processor is still experimental. Cheers, -matt On Fri, Apr 10, 2009 at 1:13 AM, Nerijus Krukauskas <nkrukauskas () gmail com> wrote:
Hi, The new 2.8.4 snort. If I enable the experimental ssh preprocessor, then snort never starts. The output is stuck right after the message about ssh preprocessor config used. CPU goes at 100% utilisation. The snort process then can only be killed with KILL signal. If the ssh preprocessor is commented out, then snort start and runs as it should. Anyone else with this kind of problem? Cmd line used to start snort: /usr/local/bin/snort -K none -o -e -c <config provided below> -X -d -y -i ${IFACE} ${BPF} =====Config used===== var HOME_NET [<a couple of networks>] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS [<a few DNS servers>] var SMTP_SERVERS [<smtp servers>] var HTTP_SERVERS $HOME_NET var SQL_SERVERS [<sql server>] var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS [64.12.0.0/16,205.188.0.0/16] var RULE_PATH ../rules var PREPROC_RULE_PATH ../preproc_rules config stateful config enable_decode_oversized_alerts config event_queue: max_queue 4 log 2 order_events priority config threshold: memcap 20971520 config detection: search-method ac-bnfa dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/lib/snort_dynamicrules/ preprocessor frag3_global: max_frags 16384, memcap 8192000, prealloc_frags 8192 include $RULE_PATH/../conf/frag3-targets-last.conf include $RULE_PATH/../conf/frag3-targets-linux.conf include $RULE_PATH/../conf/frag3-targets-bsd.conf preprocessor frag3_engine: policy Windows detect_anomalies preprocessor stream5_global: flush_on_alert, \ track_tcp yes, max_tcp 16384,\ track_udp yes, max_udp 8192,\ track_icmp yes, max_icmp 4096 preprocessor stream5_tcp: bind_to <network>, policy windows, min_ttl 3,\ ports client 21 23 25 42 53 80 110 111 135 136 137 139 143 \ 443 445 513 514 992 993 995 1433 1521 2401 3306 preprocessor stream5_tcp: policy linux, min_ttl 3,\ ports client 21 23 25 42 53 80 110 111 135 136 137 139 143 \ 443 445 513 514 992 993 995 1433 1521 2401 3306 preprocessor stream5_udp: timeout 20 preprocessor stream5_icmp: timeout 20 preprocessor http_inspect: global \ iis_unicode_map $RULE_PATH/unicode.map 1252 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ flow_depth 512 \ base36 no \ ascii no \ bare_byte no \ iis_unicode no \ double_decode no \ multi_slash no \ iis_backslash no \ directory no \ apache_whitespace no \ iis_delimiter no \ u_encode no \ utf_8 no \ chunk_length 64000 \ non_strict \ oversize_dir_length 512 \ no_alerts preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 20 { USER } \ alt_max_param_len 100 { EPSV } \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ ignore_data \ ignore_tls_data \ max_command_line_len 512 \ max_response_line_len 512 \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ scan_type { all } \ sense_level { low } \ memcap { 32768000 } \ watch_ip { <our network> } \ ignore_scanners { <a few hyper active hosts> } \ ignore_scanned { <a few servers hit by heavy traffic> } preprocessor ssh: server_ports { 22 } max_encrypted_packets 5 \ max_client_bytes 16384 \ autodetect \ disable_protomismatch \ disable_paysize -- http://nk99.org/
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.8.4 and ssh preprocessor Nerijus Krukauskas (Apr 09)
- Re: 2.8.4 and ssh preprocessor Matt Watchinski (Apr 10)