Snort mailing list archives
RE: Unable to receive alerts
From: "Sadanapalli, Pradeep Kumar (MED, TCS)" <Pradeep.Sadanapalli () med ge com>
Date: Fri, 28 Feb 2003 14:34:58 -0600
Thanks Joe. But still, when I am running the snortd script, my network interface remains in promiscous mode and I am losing network connection. Why my network connection is getting disabled when I run the snortd script? Am I doing something wrong? Thanks in advance for all your help Pradeep -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Friday, February 28, 2003 2:16 PM To: Sadanapalli, Pradeep Kumar (MED, TCS) Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Unable to receive alerts Well, I'm certainly not an expert on SNORT, although I use it on my network. One thing I noticed about your config file was that you are not defining any report output to anything. All the output options are commented out with the #. Verify this and if need be fix it. Or, recommend a good optometrist to me :-D Joe On Fri, 2003-02-28 at 12:43, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
Hi Friends, I am a snort newbie. I am running redhat linux 8.0 on my dell latitude C610. I want to run Snort as an IDS and would like to be alerted about the network traffic on my network interface. I am using a Lucent Wireless Network Card. I installed snort-1.9.0 as below. cp snort-1.9.0.tar.gz /home/pradeep/ cp libcap-0.7.1.tar.gz /home/pradeep cd /home/pradeep tar -xzf libpcap-0.7.1.tar.gz cd libpcap-0.7.1 ./configure make make install cd .. tar -xzf snort-1.9.0.tar.gz cd snort-1.9.0 ./configure make make install mkdir /etc/snort cp etc/snort.conf /etc/snort/snort.conf mkdir /var/log/snort mkdir /IDS cp -ax rules /IDS/rules I am pasting below my snort.conf and snortd script for reference. /etc/rc.d/init.d/snortd start When I execute "dmesg |tail -1" it says "device eth1 entered promiscous mode" I am losing network connection i.e I am even unable to ping to any
other
computer in the network. So I am not receiving any alerts . /var/log/snort/alert is always remaining empty. Please someone help what is going wrong? Thanks in advance for all your help.. Pradeep ****************SNORTD****************** #!/bin/sh # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection
tool
\ # that currently detects more than 1100 host and network \ # vulnerabilities, portscans, backdoors, and more. # processname: snort # config: /etc/snort/snort.conf # Source function library. . /etc/rc.d/init.d/functions # Specify your network interface here INTERFACE=eth1 LOGDIR=/var/log/snort/ CONFIGFILE=/etc/snort/snort.conf SNORTBINARY=/usr/local/bin/snort RETVAL=0 start() { echo -n $"Starting snort: " daemon $SNORTBINARY -A fast -b -l /var/log/snort -d -D -i $INTERFACE -c $CONFIGFILE RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snortd echo echo -n $"(log to " $LOGDIR " with configfile " $CONFIGFILE
")"
echo } stop() { echo -n $"Stopping snort: " killproc snort RETVAL=$? rm -f /var/lock/subsys/snortd echo } dostatus() { status snort RETVAL=$? } restart() { stop start RETVAL=$? } condrestart() { [ -e /var/lock/subsys/snortd ] && restart || : } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) dostatus ;; restart|reload) restart ;; condrestart) condrestart ;; *) echo "Usage: snortd {start|stop|status|restart|condrestart}" exit 1 esac exit $RETVAL ****************SNORTD****************** ****************SNORTD.CONF****************** #-------------------------------------------------- # http://www.snort.org Snort 1.8.6 Ruleset # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # NOTE:This ruleset only works for 1.8.0 and later #-------------------------------------------------- # $Id: snort.conf,v 1.77.2.19 2002/06/29 13:32:48 chrisgreen Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your # own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### # Step #1: Set the network variables: # var HOME_NET x.0.0.0/24 var EXTERNAL_NET any #var EXTERNAL_NET $eth0_ADDRESS var SMTP $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS x.x.x.x, x.x.x.x var TELNET_SERVERS $HOME_NET var AIM_SERVERS $HOME_NET var RULE_PATH /IDS/rules var SHELLCODE_PORTS !80 var HTTP_PORTS 80 var ORACLE_PORTS 1521 ################################################### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor <name_of_processor>: <configuration_options> # frag2: IP defragmentation support # ------------------------------- # This preprocessor performs IP defragmentation. This plugin will
also
detect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a # 60 second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 # timeout [seconds] - sets the number of [seconds] than an
unfinished
# fragment will be kept around waiting for completion, # if this time expires the fragment will be flushed # memcap [bytes] - limit frag2 memory usage to [number] bytes # (default: 4194304) preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to
be
very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - disable fragroute alerting. Useful for # machines with odd retransmission
patterns
# # keepstats [machine|binary] - keep session statistics, add
"machine"
to # get them in a flat format for machine
reading,
add # "binary" to get them in a unified binary output # format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream this option will # cause all packets that are stored in the stream4 # packet buffers to be flushed to disk. This only # works when logging in pcap mode! # # preprocessor stream4: detect_scans, disable_evasion_alerts # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a
connection
only # serveronly - reassemble traffic for the server side of a
connection
only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default"
will
turn # on reassembly for ports 21, 23, 25, 53, 80, 143,
110,
111 # and 513 preprocessor stream4_reassemble # http_decode: normalize HTTP requests # ------------------------------------ # http_decode normalizes HTTP requests from remote # machines by converting any %XX character # substitutions to their ASCII equivalent. This is # very useful for doing things like defeating hostile # attackers trying to stealth themselves from IDSs by # mixing these substitutions in with the request. # Specify the port numbers you want it to analyze as arguments. # You may also specify -unicode to turn off detection of # UNICODE directory traversal, etc attacks. Use -cginull to # turn off detection of CGI NULL code attacks. preprocessor http_decode: 80 # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual # 4-byte encoding that is used by default. This preprocessor # normalized RPC traffic in much the same way as the http_decode # preprocessor. This plugin takes the ports numbers that RPC # services are running on as arguments. preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. This preprocessor # uses the Back Orifice "encryption" algorithm to search for # traffic conforming to the Back Orifice protocol (not BO2K). # This preprocessor can take two arguments. The first is "-nobrute" # which turns off the plugin's brute forcing routine (brute forces # the key space of the protocol to find BO traffic). The second # argument that can be passed to the routine is a number to use # as the default key when trying to decrypt the traffic. The # default value is 31337 (just like BO). Be aware that turning on # the brute forcing option runs the risk of impacting the overall # performance of Snort, you've been warned... preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from # telnet and ftp traffic. It works in much the same way as the # http_decode preprocessor, searching for traffic that breaks up # the normal data stream of a protocol and replacing it with # a normalized representation of that traffic so that the "content" # pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. preprocessor telnet_decode # portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan: $EXTERNAL_NET 4 3 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical # to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks # in a whitespace-delimited list. # # preprocessor portscan-ignorehosts: 0.0.0.0 $DNS_SERVERS # Spade: the Statistical Packet Anomaly Detection Engine #------------------------------------------------------- # READ the README.Spade file before using this plugin! # # preprocessor spade: <anom-report-thresh> <state-file> # <log-file> <prob-mode> <checkpoint-freq> [-corrscore] # # set this to a directory Spade can read and write to # store its files # # var SPADEDIR . # # preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 # # put a list of the networks you are interested in Spade observing packets # going to here; separate these by spaces # # preprocessor spade-homenet: 0.0.0.0/0 # # this causes Spade to adjust the reporting threshold automatically # the first argument is the target rate of alerts for normal circumstances # (0.01 = 1% or you can give it an hourly rate) after the first hour
(or
# however long the period is set to in the second argument), the reporting # threshold given above is ignored you can comment this out to have
the
# threshold be static, or try one of the other adapt methods below # preprocessor spade-adapt3: 0.01 60 168 # # other possible Spade config lines: # adapt method #1 #preprocessor spade-adapt: 20 2 0.5 # adapt method #2 #preprocessor spade-adapt2: 0.01 15 4 24 7 # offline threshold learning #preprocessor spade-threshlearn: 200 24 # periodically report on the anom scores and count of packets seen #preprocessor spade-survey: $SPADEDIR/survey.txt 60 # print out known stats about packet feature #preprocessor spade-stats: entropy uncondprob condprob # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP
attacks,
# unicast ARP requests, and specific ARP mapping monitoring. To make use # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. # General configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments # # output alert_syslog: LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: snort.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # xml: xml logging # ---------------- # See the README.xml file for more information about configuring # and using this plugin. # # output xml: log, file=/var/log/snortxml # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with barnyard (the new alert/log processor), most of the overhead # for logging and alerting to various slow storage mechanisms # such as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 # trap_snmp: SNMP alerting for Snort # ------------------------------------------------------------- # Read the README-SNMP file for more information on enabling and using this # plug-in. # # # The SnmpTrapGenerator outputplugin requires several parameters # The parameters depend on the Snmpversion that is used (specified) # For the SNMPv2c case the paremeters will be as follows # alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber> # <hostName> <community> # # For SNMPv2c traps # #output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener myCommunity # # For SNMPv2c informs # #output trap_snmp: alert, 7, inform -v 2c -p 162 myTrapListener myCommunity # # For SNMPv3 traps with # security name = snortUser # security level = authentication and privacy # authentication parameters : # authentication protocol = SHA , # authentication pass phrase = SnortAuthPassword # privacy (encryption) parameters # privacy protocol = DES, # privacy pass phrase = SnortPrivPassword # #output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener #For SNMPv3 informs with authentication and encryption #output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l
authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog # and a mysql database. # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort
host=localhost
# } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \ # flags:A+;) # # Include classification & priority settings # include classification.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your own # custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula <rgula () securitywizards com> of Network Security Wizards # Max Vision <vision () whitehats com> # Martin Markgraf <martin () mail du gtn com> # Fyodor Yarochkin <fygrave () tigerteam net> # Nick Rogness <nick () rapidnet com> # Jim Forster <jforster () rapidnet com> # Scott McIntyre <scott () whoi edu> # Tom Vandepoel <Tom.Vandepoel () ubizen com> # Brian Caswell <bmc () snort org> # Zeno <admin () cgisecurity com> # Ryan Russell <ryan () securityfocus com> # #========================================= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #========================================= include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules include local.rules ****************SNORTD.CONF****************** ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unable to receive alerts Sadanapalli, Pradeep Kumar (MED, TCS) (Feb 28)
- Re: Unable to receive alerts Joe Giles (Feb 28)
- <Possible follow-ups>
- RE: Unable to receive alerts Sadanapalli, Pradeep Kumar (MED, TCS) (Feb 28)
- RE: Unable to receive alerts Joe Giles (Feb 28)
- RE: Unable to receive alerts Erek Adams (Feb 28)