Snort mailing list archives
RE: Core dumping with more then 1 rule enabled - SUMMARY
From: "Frank Lewandowski" <Boom_ () web de>
Date: Sat, 8 Jun 2002 14:24:38 +0200
So, I figured it out now, going backwards to the original .conf, the problem lies in the *_NET variable declarations, only the "any/any" way works, so not the "hme0_ADDRESS" nor the multiple address declaration in parenthesis, both for IP or *_ADDRESS. Now, despite this change in the .conf variables, snort works, it initializes the internal (hme0 in my case) on start. Have a nice weekend, Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank Lewandowski Sent: Friday, June 07, 2002 10:18 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Core dumping with more then 1 rule enabled Hi Folks, Now am a bit into snort, as well as the docs, a last issue not found a help for, is, that i can smoothly start and run snort with actual rule set and snort.conf, though, when i enable more than one rule, it dumps. All pathes set, Version 1.8.4 (Build 99) on Sparc/Solaris 8 precompiled. Command line is /opt/snort/bin/snort -c /opt/snort/etc/snort.conf -D Any help would be appreciated, i post a summary in the end. Thanks in advance, Frank The snort.conf: #-------------------------------------------------- # http://www.snort.org Snort 1.8.6 Ruleset # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # NOTE:This ruleset only works for 1.8.0 and later #-------------------------------------------------- # $Id: snort.conf,v 1.77.2.16 2002/06/06 12:24:21 cazz Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your # own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $<interfacename>_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET $hme0_ADDRESS # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET [$sppp0_ADDRESS,$hme2_ADDRESS] # Set up your SMTP servers, or simply configure them # to HOME_NET var SMTP $HOME_NET # Set up your web servers, or simply configure them # to HOME_NET var HTTP_SERVERS $HOME_NET # Set up your sql servers, or simply configure them # to HOME_NET var SQL_SERVERS $HOME_NET # Define the addresses of DNS servers and other hosts var DNS_SERVERS [192.168.2.0/24,195.49.39.29/32,62.2.33.111/32] var RULE_PATH /opt/snort/etc # Ports you want to look for SHELLCODE on. (By default, not port 80) var SHELLCODE_PORTS !80 # Ports you run web servers on. (By default, port 80) var HTTP_PORTS 80 # Ports you do oracle type stuff on. (Can be 80, as well as all of the # standard oracle ports. (By default, port 1521) var ORACLE_PORTS 1521 ################################################### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor <name_of_processor>: <configuration_options> # frag2: IP defragmentation support # ------------------------------- # This preprocessor performs IP defragmentation. This plugin will also detect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a # 60 second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 # timeout [seconds] - sets the number of [seconds] than an unfinished # fragment will be kept around waiting for completion, # if this time expires the fragment will be flushed # memcap [bytes] - limit frag2 memory usage to [number] bytes # (default: 4194304) preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - disable fragroute alerting. Useful for # machines with odd retransmission patterns # # keepstats [machine|binary] - keep session statistics, add "machine" to # get them in a flat format for machine reading, add # "binary" to get them in a unified binary output # format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream this option will # cause all packets that are stored in the stream4 # packet buffers to be flushed to disk. This only # works when logging in pcap mode! # # preprocessor stream4: detect_scans, disable_evasion_alerts # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble # http_decode: normalize HTTP requests # ------------------------------------ # http_decode normalizes HTTP requests from remote # machines by converting any %XX character # substitutions to their ASCII equivalent. This is # very useful for doing things like defeating hostile # attackers trying to stealth themselves from IDSs by # mixing these substitutions in with the request. # Specify the port numbers you want it to analyze as arguments. # You may also specify -unicode to turn off detection of # UNICODE directory traversal, etc attacks. Use -cginull to # turn off detection of CGI NULL code attacks. preprocessor http_decode: 80 -unicode -cginull # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual # 4-byte encoding that is used by default. This preprocessor # normalized RPC traffic in much the same way as the http_decode # preprocessor. This plugin takes the ports numbers that RPC # services are running on as arguments. preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. This preprocessor # uses the Back Orifice "encryption" algorithm to search for # traffic conforming to the Back Orifice protocol (not BO2K). # This preprocessor can take two arguments. The first is "-nobrute" # which turns off the plugin's brute forcing routine (brute forces # the key space of the protocol to find BO traffic). The second # argument that can be passed to the routine is a number to use # as the default key when trying to decrypt the traffic. The # default value is 31337 (just like BO). Be aware that turning on # the brute forcing option runs the risk of impacting the overall # performance of Snort, you've been warned... preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from # telnet and ftp traffic. It works in much the same way as the # http_decode preprocessor, searching for traffic that breaks up # the normal data stream of a protocol and replacing it with # a normalized representation of that traffic so that the "content" # pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. preprocessor telnet_decode # portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. preprocessor portscan: $HOME_NET 4 3 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical # to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks # in a whitespace-delimited list. # preprocessor portscan-ignorehosts: 192.168.2.0/23 # Spade: the Statistical Packet Anomaly Detection Engine #------------------------------------------------------- # READ the README.Spade file before using this plugin! # # preprocessor spade: <anom-report-thresh> <state-file> # <log-file> <prob-mode> <checkpoint-freq> [-corrscore] # # set this to a directory Spade can read and write to # store its files # # var SPADEDIR . # # preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 # # put a list of the networks you are interested in Spade observing packets # going to here; separate these by spaces # # preprocessor spade-homenet: 192.168.2.0/23 # # this causes Spade to adjust the reporting threshold automatically # the first argument is the target rate of alerts for normal circumstances # (0.01 = 1% or you can give it an hourly rate) after the first hour (or # however long the period is set to in the second argument), the reporting # threshold given above is ignored you can comment this out to have the # threshold be static, or try one of the other adapt methods below # preprocessor spade-adapt3: 0.01 60 168 # # other possible Spade config lines: # adapt method #1 #preprocessor spade-adapt: 20 2 0.5 # adapt method #2 #preprocessor spade-adapt2: 0.01 15 4 24 7 # offline threshold learning #preprocessor spade-threshlearn: 200 24 # periodically report on the anom scores and count of packets seen #preprocessor spade-survey: $SPADEDIR/survey.txt 60 # print out known stats about packet feature #preprocessor spade-stats: entropy uncondprob condprob # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To make use # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. # General configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments # output alert_syslog: LOG_LOCAL2 # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # #output log_tcpdump: /var/log/snort.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # xml: xml logging # ---------------- # See the README.xml file for more information about configuring # and using this plugin. # # output xml: log, file=/var/log/snortxml # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with barnyard (the new alert/log processor), most of the overhead # for logging and alerting to various slow storage mechanisms # such as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 # trap_snmp: SNMP alerting for Snort # ------------------------------------------------------------- # Read the README-SNMP file for more information on enabling and using this # plug-in. # # # The SnmpTrapGenerator outputplugin requires several parameters # The parameters depend on the Snmpversion that is used (specified) # For the SNMPv2c case the paremeters will be as follows # alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber> # <hostName> <community> # # For SNMPv2c traps # #output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener myCommunity # # For SNMPv2c informs # #output trap_snmp: alert, 7, inform -v 2c -p 162 myTrapListener myCommunity # # For SNMPv3 traps with # security name = snortUser # security level = authentication and privacy # authentication parameters : # authentication protocol = SHA , # authentication pass phrase = SnortAuthPassword # privacy (encryption) parameters # privacy protocol = DES, # privacy pass phrase = SnortPrivPassword # #output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener #For SNMPv3 informs with authentication and encryption #output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog # and a mysql database. # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost # } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \ # flags:A+;) # # Include classification & priority settings # include classification.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your own # custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula <rgula () securitywizards com> of Network Security Wizards # Max Vision <vision () whitehats com> # Martin Markgraf <martin () mail du gtn com> # Fyodor Yarochkin <fygrave () tigerteam net> # Nick Rogness <nick () rapidnet com> # Jim Forster <jforster () rapidnet com> # Scott McIntyre <scott () whoi edu> # Tom Vandepoel <Tom.Vandepoel () ubizen com> # Brian Caswell <bmc () snort org> # Zeno <admin () cgisecurity com> # Ryan Russell <ryan () securityfocus com> # #========================================= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #========================================= #include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules #include $RULE_PATH/finger.rules #include $RULE_PATH/ftp.rules #include $RULE_PATH/telnet.rules #include $RULE_PATH/smtp.rules #include $RULE_PATH/rpc.rules #include $RULE_PATH/rservices.rules #include $RULE_PATH/dos.rules #include $RULE_PATH/ddos.rules #include $RULE_PATH/dns.rules #include $RULE_PATH/tftp.rules #include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web-iis.rules #include $RULE_PATH/web-frontpage.rules #include $RULE_PATH/web-misc.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/sql.rules #include $RULE_PATH/x11.rules #include $RULE_PATH/icmp.rules #include $RULE_PATH/netbios.rules #include $RULE_PATH/misc.rules #include $RULE_PATH/attack-responses.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/experimental.rules #include $RULE_PATH/local.rules _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Core dumping with more then 1 rule enabled Frank Lewandowski (Jun 07)
- RE: Core dumping with more then 1 rule enabled - SUMMARY Frank Lewandowski (Jun 08)
- Re: Core dumping with more then 1 rule enabled Chris Green (Jun 08)
- Re: Core dumping with more then 1 rule enabled Chris Green (Jun 08)
- Re: Core dumping with more then 1 rule enabled James Hoagland (Jun 08)