Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trying to trouble shoot snort isntall.

From: Andy Berryman <aberryman () cymtec com>
Date: Wed, 3 Feb 2010 08:00:23 -0800
Well, if I'm not loading the preprocessor rules, why do I get http_inspect alerts and portscan alerts? Do the 
preprocessors generate alerts on the default settings regardless if a rule is applied or not? 

Thanks,
Andy 

-----Original Message-----
From: Nigel Houghton [mailto:nhoughton () sourcefire com] 
Sent: Wednesday, February 03, 2010 9:43 AM
To: Andy Berryman
Cc: Snort Users List
Subject: Re: [Snort-users] Trying to trouble shoot snort isntall.

On Wed, Feb 3, 2010 at 10:13 AM, Matt Watchinski
<mwatchinski () sourcefire com> wrote:

Did you tell snort you want to use the preproc and decoder rules?  I don't
see the rules included in your pasted conf.  You have to first enable the
use of this feature with:

./configure --enable-decoder-preprocessor-rules

Then add the rules files from here:

src/snort-2.8.5.1/preproc_rules/decoder.rules
src/snort-2.8.5.1/preproc_rules/preprocessor.rules

Cheers,
-matt

On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman () cymtec com> wrote:


Can someone point me in the right direction please? I'm trying to figure
out if I'm chasing my tail here. Basically when I start snort I tail syslog
and see this.



Feb  2 21:26:59 (none) snort[19257]:
+++++++++++++++++++++++++++++++++++++++++++++++++++

Feb  2 21:26:59 (none) snort[19257]: Initializing rule chains...

Feb  2 21:27:15 (none) snort[19257]: 5866 Snort rules read

Feb  2 21:27:15 (none) snort[19257]:     5866 detection rules

Feb  2 21:27:15 (none) snort[19257]:     0 decoder rules

Feb  2 21:27:15 (none) snort[19257]:     0 preprocessor rules

Feb  2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624
Chain Headers

Feb  2 21:27:15 (none) snort[19257]: 0 Dynamic rules

Feb  2 21:27:15 (none) snort[19257]:
+++++++++++++++++++++++++++++++++++++++++++++++++++





Doesn't that tell me that it's not loading any of the preprocessor,
decoder, or dynamic rules?





Here is more from syslog where it says it is loading them I thought.

Loading all dynamic engine libs from /snort_lib/snort_dynamicengine...

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic engine
/snort_lib/snort_dynamicengine/libsf_engine.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic engine
libs from /snort_lib/snort_dynamicengine

Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs
from /snort_lib/snort_dynamicrules...

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/bad-traffic.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/chat.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
 /snort_lib/snort_dynamicrules/dos.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/exploit.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/imap.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/misc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/multimedia.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/netbios.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/nntp.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/p2p.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/smtp.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/sql.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-client.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-misc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-activex.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-iis.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
detection libs from /snort_lib/snort_dynamicrules

Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor libs
from /snort_lib/snort_dynamicpreprocessor...

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
library /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
library /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
library /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
library /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
library /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
library /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
library /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
preprocessor libs from /snort_lib/snort_dynamicpreprocessor





Here's my snort.conf



var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24]

var EXTERNAL_NET !$HOME_NET

var DNS_SERVERS 10.27.1.2

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var SSH_PORTS 22

var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

var RULE_PATH  /snort/conf

var SORULE_PATH /snort/conf/so_rules

#config detection: search-method ac

config disable_decode_alerts

config disable_tcpopt_experimental_alerts

config profile_rules: print 20, sort total_ticks, filename
rule_profiles.txt

dynamicdetection directory /snort_lib/snort_dynamicrules

dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor

dynamicengine directory /snort_lib/snort_dynamicengine

config flowbits_size: 256

include classification.config

include reference.config

include $RULE_PATH/general.rules

include $RULE_PATH/local.rules

#include $RULE_PATH/so.rules

include $SORULE_PATH/bad-traffic.rules

include $SORULE_PATH/chat.rules

include $SORULE_PATH/dos.rules

include $SORULE_PATH/exploit.rules

include $SORULE_PATH/imap.rules

include $SORULE_PATH/misc.rules

include $SORULE_PATH/multimedia.rules

include $SORULE_PATH/netbios.rules

include $SORULE_PATH/nntp.rules

include $SORULE_PATH/p2p.rules

include $SORULE_PATH/smtp.rules

include $SORULE_PATH/sql.rules

include $SORULE_PATH/web-client.rules

include $SORULE_PATH/web-misc.rules

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies timeout 1800

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no

preprocessor stream5_tcp: policy first

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500 no_alerts

preprocessor rpc_decode: 111 32771

#preprocessor bo

#preprocessor flow: stats_interval 0 hash 2

preprocessor sfportscan: proto  { all } \

                         scan_type { all } \

                         memcap { 10000000 } \

                         sense_level { medium }

preprocessor perfmonitor: \

time 30 events flow max console pktcnt 10000

preprocessor arpspoof

preprocessor dcerpc2

#preprocessor ssl: noinspect_encrypted

output queue: /var/log/snort/queue/ /snort/conf/sidfile

#output alert_syslog: LOG_AUTH LOG_ALERT





Thanks,

Andy Berryman

Cymtec Systems

support () cymtec com






------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




Also, if the shared object rules didn't get activated there is some
more output from snort after the output you pasted that would be
useful.

Make sure you dumped the shared object rule stubs into your SORULE_PATH.

 # snort -c /snort/conf/snort.conf --dump-dynamic-rules=/snort/conf/so_rules

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: