Snort mailing list archives
Re: need help
From: syazareen <syazareen () yahoo com>
Date: Thu, 25 Jun 2015 22:58:56 +0000 (UTC)
I want to test rule for ipv6 but i do not know how to write the rule in ipv6. have any suggestion for me? i'm using snort on windows. On Wednesday, June 24, 2015 9:01 PM, Joel Esler (jesler) <jesler () cisco com> wrote: “ipv” isn’t a Snort rule option. IPv6 is enabled by default in Snort. There are no additional plugins needed. -- Joel Esler Manager, Threat Intelligence Team & Open Source Talos Group http://www.talosintel.com On Jun 24, 2015, at 12:01 AM, syazareen <syazareen () yahoo com> wrote: Greetings. I'm a student and doing project using Snort. I want to ask a question about Snort. I have installed Snort version 2.9.7.2 on Windows 8. I have tried to configure rules on Snort on IPv4 network and it is working. Now i want to use Snort on IPv6 network. I want to test the existing rules i found on internet but error appeared. the rule i have tried is as follow: alert icmp any any -> any any ( itype :8; ipv: 6; \ msg :" ICMPv4 PING in v6 pkt "; sid :100001; rev :1;) The error states that unknown rule option ipv. What should i do? Below is my snort.conf. #-------------------------------------------------- # VRT Rule Packages Snort.conf## For more information visit us at:# http://www.snort.org Snort Website# http://vrt-blog.snort.org/ Sourcefire VRT Blog## Mailing list Contact: snort-sigs () lists sourceforge net# False Positive reports: fp () sourcefire com# Snort bugs: bugs () snort org## Compatible with Snort Versions:# VERSIONS : 2.9.7.x## Snort build options:# OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3## Additional information:# This configuration file enables active response, to run snort in# test mode -T you are required to supply an interface -i <interface># or test mode will fail to fully validate the configuration and# exit with a FATAL error#-------------------------------------------------- #################################################### This file contains a sample snort configuration. # You should take the following steps to create your own custom configuration:## 1) Set the network variables.# 2) Configure the decoder# 3) Configure the base detection engine# 4) Configure dynamic loaded libraries# 5) Configure preprocessors# 6) Configure output plugins# 7) Customize your rule set# 8) Customize preprocessor and decoder rule set# 9) Customize shared object rule set################################################### #################################################### Step #1: Set the network variables. For more information, see README.variables################################################### # Setup the network addresses you are protectingipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situationsipvar EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your networkvar SMTP_SERVERS $HOME_NET # List of web servers on your networkvar HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your networkvar TELNET_SERVERS $HOME_NET # List of ssh servers on your networkvar SSH_SERVERS $HOME_NET # List of ftp servers on your networkvar FTP_SERVERS $HOME_NET # List of sip servers on your networkvar SIP_SERVERS $HOME_NET # List of ports you run web servers onportvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555] # List of ports you want to look for SHELLCODE on.portvar SHELLCODE_PORTS !80 # List of ports you might see oracle attacks onportvar ORACLE_PORTS 1024: # List of ports you want to look for SSH connections on:portvar SSH_PORTS 22 # List of ports you run ftp servers onportvar FTP_PORTS [21,2100,3535] # List of ports you run SIP servers onportvar SIP_PORTS [5060,5061,5600] # List of file data ports for file inspectionportvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] # List of GTP ports for GTP preprocessorportvar GTP_PORTS [2123,2152,3386] # other variables, these should not be modifiedvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path)# Note for Windows users: You are advised to make this an absolute path,# such as: c:\snort\rulesvar RULE_PATH c:\Snort\rulesvar SO_RULE_PATH c:\Snort\so_rulesvar PREPROC_RULE_PATH c:\Snort\preproc_rules # If you are using reputation preprocessor set these# Currently there is a bug with relative paths, they are relative to where snort is# not relative to snort.conf like the above variables# This is completely inconsistent with how other vars work, BUG 89986# Set the absolute path appropriatelyvar WHITE_LIST_PATH c:\Snort\rulesvar BLACK_LIST_PATH c:\Snort\rules #################################################### Step #2: Configure the decoder. For more information, see README.decode################################################### # Stop generic decode events:config disable_decode_alerts # Stop Alerts on experimental TCP optionsconfig disable_tcpopt_experimental_alerts # Stop Alerts on obsolete TCP optionsconfig disable_tcpopt_obsolete_alerts # Stop Alerts on T/TCP alertsconfig disable_tcpopt_ttcp_alerts # Stop Alerts on all other TCPOption type events:config disable_tcpopt_alerts # Stop Alerts on invalid ip optionsconfig disable_ipopt_alerts # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet# config enable_decode_oversized_alerts # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)# config enable_decode_oversized_drops # Configure IP / TCP checksum modeconfig checksum_mode: all # Configure maximum number of flowbit references. For more information, see README.flowbits# config flowbits_size: 64 # Configure ports to ignore # config ignore_ports: tcp 21 6667:6671 1356# config ignore_ports: udp 1:17 53 # Configure active response for non inline operation. For more information, see REAMDE.active# config response: eth0 attempts 2 # Configure DAQ related options for inline operation. For more information, see README.daq## config daq: <type># config daq_dir: <dir># config daq_mode: <mode># config daq_var: <var>## <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw# <mode> ::= read-file | passive | inline# <var> ::= arbitrary <name>=<value passed to DAQ# <dir> ::= path as to where to look for DAQ module so's # Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options## config set_gid:# config set_uid: # Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README## config snaplen:# # Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)## config bpf_file:# # Configure default log directory for snort to log to. For more information see snort -h command line options (-l)#config logdir: c:\Snort\log #################################################### Step #3: Configure the base detection engine. For more information, see README.decode################################################### # Configure PCRE match limitationsconfig pcre_match_limit: 3500config pcre_match_limit_recursion: 1500 # Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Configconfig detection: search-method ac-split search-optimize max-pattern-len 20 # Configure the event queue. For more information, see README.event_queueconfig event_queue: max_queue 8 log 5 order_events content_length ##################################################### Configure GTP if it is to be used.## For more information, see README.GTP#################################################### # config enable_gtp #################################################### Per packet and rule latency enforcement# For more information see README.ppm################################################### # Per Packet latency configuration#config ppm: max-pkt-time 250, \# fastpath-expensive-packets, \# pkt-log # Per Rule latency configuration#config ppm: max-rule-time 200, \# threshold 3, \# suspend-expensive-rules, \# suspend-timeout 20, \# rule-log alert #################################################### Configure Perf Profiling for debugging# For more information see README.PerfProfiling################################################### #config profile_rules: print all, sort avg_ticks#config profile_preprocs: print all, sort avg_ticks #################################################### Configure protocol aware flushing# For more information see README.stream5###################################################config paf_max: 16000 ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- need help syazareen (Jun 23)
- Re: need help lists () packetmail net (Jun 23)
- Re: need help Joel Esler (jesler) (Jun 24)
- Re: need help syazareen (Jun 25)
- Re: need help lists () packetmail net (Jun 25)
- Re: need help syazareen (Jun 25)