Snort mailing list archives
Re: Trying to trouble shoot snort isntall.
From: Andy Berryman <aberryman () cymtec com>
Date: Wed, 3 Feb 2010 08:00:23 -0800
Well, if I'm not loading the preprocessor rules, why do I get http_inspect alerts and portscan alerts? Do the preprocessors generate alerts on the default settings regardless if a rule is applied or not? Thanks, Andy -----Original Message----- From: Nigel Houghton [mailto:nhoughton () sourcefire com] Sent: Wednesday, February 03, 2010 9:43 AM To: Andy Berryman Cc: Snort Users List Subject: Re: [Snort-users] Trying to trouble shoot snort isntall. On Wed, Feb 3, 2010 at 10:13 AM, Matt Watchinski <mwatchinski () sourcefire com> wrote:
Did you tell snort you want to use the preproc and decoder rules? I don't see the rules included in your pasted conf. You have to first enable the use of this feature with: ./configure --enable-decoder-preprocessor-rules Then add the rules files from here: src/snort-2.8.5.1/preproc_rules/decoder.rules src/snort-2.8.5.1/preproc_rules/preprocessor.rules Cheers, -matt On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman () cymtec com> wrote:Can someone point me in the right direction please? I'm trying to figure out if I'm chasing my tail here. Basically when I start snort I tail syslog and see this. Feb 2 21:26:59 (none) snort[19257]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Feb 2 21:26:59 (none) snort[19257]: Initializing rule chains... Feb 2 21:27:15 (none) snort[19257]: 5866 Snort rules read Feb 2 21:27:15 (none) snort[19257]: 5866 detection rules Feb 2 21:27:15 (none) snort[19257]: 0 decoder rules Feb 2 21:27:15 (none) snort[19257]: 0 preprocessor rules Feb 2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624 Chain Headers Feb 2 21:27:15 (none) snort[19257]: 0 Dynamic rules Feb 2 21:27:15 (none) snort[19257]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Doesn't that tell me that it's not loading any of the preprocessor, decoder, or dynamic rules? Here is more from syslog where it says it is loading them I thought. Loading all dynamic engine libs from /snort_lib/snort_dynamicengine... Feb 2 21:30:14 (none) snort[19434]: Loading dynamic engine /snort_lib/snort_dynamicengine/libsf_engine.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Finished Loading all dynamic engine libs from /snort_lib/snort_dynamicengine Feb 2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs from /snort_lib/snort_dynamicrules... Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/bad-traffic.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/chat.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/dos.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/exploit.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/imap.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/misc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/multimedia.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/netbios.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/nntp.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/p2p.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/smtp.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/sql.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-client.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-misc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-activex.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-iis.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Finished Loading all dynamic detection libs from /snort_lib/snort_dynamicrules Feb 2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor libs from /snort_lib/snort_dynamicpreprocessor... Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Finished Loading all dynamic preprocessor libs from /snort_lib/snort_dynamicpreprocessor Here's my snort.conf var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS 10.27.1.2 var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var SSH_PORTS 22 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /snort/conf var SORULE_PATH /snort/conf/so_rules #config detection: search-method ac config disable_decode_alerts config disable_tcpopt_experimental_alerts config profile_rules: print 20, sort total_ticks, filename rule_profiles.txt dynamicdetection directory /snort_lib/snort_dynamicrules dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor dynamicengine directory /snort_lib/snort_dynamicengine config flowbits_size: 256 include classification.config include reference.config include $RULE_PATH/general.rules include $RULE_PATH/local.rules #include $RULE_PATH/so.rules include $SORULE_PATH/bad-traffic.rules include $SORULE_PATH/chat.rules include $SORULE_PATH/dos.rules include $SORULE_PATH/exploit.rules include $SORULE_PATH/imap.rules include $SORULE_PATH/misc.rules include $SORULE_PATH/multimedia.rules include $SORULE_PATH/netbios.rules include $SORULE_PATH/nntp.rules include $SORULE_PATH/p2p.rules include $SORULE_PATH/smtp.rules include $SORULE_PATH/sql.rules include $SORULE_PATH/web-client.rules include $SORULE_PATH/web-misc.rules preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies timeout 1800 preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy first preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts preprocessor rpc_decode: 111 32771 #preprocessor bo #preprocessor flow: stats_interval 0 hash 2 preprocessor sfportscan: proto { all } \ scan_type { all } \ memcap { 10000000 } \ sense_level { medium } preprocessor perfmonitor: \ time 30 events flow max console pktcnt 10000 preprocessor arpspoof preprocessor dcerpc2 #preprocessor ssl: noinspect_encrypted output queue: /var/log/snort/queue/ /snort/conf/sidfile #output alert_syslog: LOG_AUTH LOG_ALERT Thanks, Andy Berryman Cymtec Systems support () cymtec com ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Also, if the shared object rules didn't get activated there is some more output from snort after the output you pasted that would be useful. Make sure you dumped the shared object rule stubs into your SORULE_PATH. # snort -c /snort/conf/snort.conf --dump-dynamic-rules=/snort/conf/so_rules -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Trying to trouble shoot snort isntall. Andy Berryman (Feb 02)
- Re: Trying to trouble shoot snort isntall. Matt Watchinski (Feb 03)
- Re: Trying to trouble shoot snort isntall. Nigel Houghton (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Matt Watchinski (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Jason Wallace (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Nigel Houghton (Feb 03)
- Re: Trying to trouble shoot snort isntall. Matt Watchinski (Feb 03)