Re: Need help - TCP Stream5

[Matt Olney <molney () sourcefire com>]

By the way we're going to be publishing a full recommended conf, but here is
a preview:

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10
min_fragment_length 100 timeout 180

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
track_icmp no
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
   ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143
110 \
      111 161 445 513 514 691 1220 1433 1521 2100 2301 3128 3306 6665 6666
6667 6668 6669 \
      7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776
32777 32778 32779, \
   ports both 80 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
7902 7903 7904 7905 \
      7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919
7920
preprocessor stream5_udp: timeout 180

preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
   chunk_length 500000 \
   server_flow_depth 0 \
   client_flow_depth 0 \
   post_depth 65495 \
   oversize_dir_length 500 \
   ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 }
\
   non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
   apache_whitespace no \
   ascii no \
   bare_byte no \
   directory no \
   double_decode no \
   iis_backslash no \
   iis_delimiter no \
   iis_unicode no \
   multi_slash no \
   non_strict \
   u_encode yes \
   webroot no

Matt

On Thu, Apr 8, 2010 at 8:36 AM, Matt Olney <molney () sourcefire com> wrote:

> Parag:
>
> What port is your traffic on?
> What is the rule you are using?
> Can you drop us a PCAP?
>
> Matt
>
> On Thu, Apr 8, 2010 at 3:59 AM, Parag Pote <pipsparag () yahoo com> wrote:
>
> > Hi All,
> >
> > I configured snort latest version on a linux PC and able to get it
> > running. When I send UDP,ICMP attack, it is getting detected. I use snot
> > tool for this. But TCP are not getting detected. I think it is due to
> > stateful nature of stream5 proprocessor. So I created a TCP connection using
> > stream socket and send attack data (which I understood after sending TCP
> > attack packet using snot).
> >
> > So now it establishes the TCP connection and then send malicious data. But
> > still I can not see any attacks logged in /var/log/snort/alert file.
> > Somebody suggested use hping with data file which contains malicious data.
> > Tried but no luck.
> >
> > Here I have attached snort.conf for reference. Can somebody help me out?
> >
> > Rgds,
> > Parag
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users