Too little traffic being seen!

[Adrian.Mink () pinnaclewest com]

Hello, 

I am running snort 2.0 on a Redhat 8.0 system using a stealth interface.
(No IP address on eth0) 
It is plugged into a switch setup as a span port, over which is flowing
a large amount of traffic. There 
is another IDS plugged into the same switch, which is alerting on the
traffic. However, snort is only 
generating maybe 1-2 alerts per hour, which is WAY to low. I even took
it home (it's on a laptop) and plugged 
it in outside of my firewall on a cable connection and saw the same
thing. So, I am hoping my config is messed up
somehow, will someone take a look at it and let me know if there are any
glaring issues? I am getting a very few alerts, 
and when I fire up ethereal I can see the raw traffic so I know the data
is getting to the system. Help?



Adrian


#--------------------------------------------------
#   http://www.snort.org     Snort 1.9.0 Ruleset
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.9.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.110.2.4 2002/11/17 04:40:07 cazz Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your 
# own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently 
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS 
# which will be always initialized to IP address and 
# netmask of the network interface which you run
# snort at.
#
var HOME_NET any
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

# var HOME_NET any

# Set up the external network addresses as well.  
# A good start may be "any"

var EXTERNAL_NET any

# Configure your server lists.  This allows snort to only look for
attacks # to systems that have a service up.  Why look for HTTP attacks
if you are # not running a web server?  This allows quick filtering
based on IP addresses # These configurations MUST follow the same
configuration scheme as defined # above for $HOME_NET.  

# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to look for attacks 
# destined to a specific application only on the ports that application
# runs on.  For example, if you run a web server on port 8081, set your
# HTTP_PORTS variable like this: # # var HTTP_PORTS 8081 # # Port lists
must either be continuous [eg 80:8080], or a single port [eg 80]. # We
will adding support for a real list of ports in the future.

# Ports you run web servers on
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
# 
# AIM servers.  AOL has a habit of adding new AIM servers, so instead of

# modifying the signatures when they do, we add them to this list of 
# servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This plugin will also
detect # people launching fragmentation attacks (usually DoS) against
hosts.  No # arguments loads the default configuration of the
preprocessor, which is a 
# 60 second timeout and a 4MB fragment buffer. 

# The following (comma delimited) options are available for frag2
#    timeout [seconds] - sets the number of [seconds] than an unfinished

#                        fragment will be kept around waiting for
completion,
#                        if this time expires the fragment will be
flushed
#    memcap [bytes] - limit frag2 memory usage to [number] bytes
#                      (default:  4194304)
#
#    min_ttl [number] - minimum ttl to accept
# 
#    ttl_limit [number] - difference of ttl to accept without alerting
#                         will cause false positves with router flap
# 
# Frag2 uses Generator ID 113 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Oversized fragment (reassembled frag > 64k bytes)
#   2       Teardrop-type attack

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat 
# stick/snot against TCP rules.  Also performs full TCP stream 
# reassembly, stateful inspection of TCP streams, etc.  Can statefully #
detect various portscan types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608) # options
(options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate
alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be
very
#                           noisy because there are a lot of crappy ip
stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#   min_ttl - this option has been moved to config min_ttl: <int>
#
#   ttl_limit [number]     - differential of the initial ttl on a
session versus
#                             the normal that someone may be playing
games.
#                             Routing flap may cause lots of false
positives.
# 
#   keepstats [machine|binary] - keep session statistics, add "machine"
to 
#                         get them in a flat format for machine reading,
add
#                         "binary" to get them in a unified binary
output 
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number]
seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes
#   log_flushed_streams - if an event is detected on a stream this
option will
#                         cause all packets that are stored in the
stream4
#                         packet buffers to be flushed to disk.  This
only 
#                         works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

preprocessor stream4: detect_scans, disable_evasion_alerts

# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),  
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client side of a connection
only
#   serveronly - reassemble traffic for the server side of a connection
only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of
stream4
#   ports [list] - use the space separated list of ports in [list],
"all" 
#                  will turn on reassembly for all ports, "default" will
turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
111
#                  and 513

preprocessor stream4_reassemble

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote 
# machines by converting any %XX character 
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request. 
# Specify the port numbers you want it to analyze as arguments. # #
Major code cleanups thanks to rfp #
# unicode          - normalize unicode
# iis_alt_unicode  - %u encoding from iis 
# double_encode    - alert on possible double encodings
# iis_flip_slash   - normalize \ as /
# full_whitespace  - treat \t as whitespace ( for apache )
#
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       UNICODE attack
#   2       NULL byte attack

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default.  This preprocessor
# normalized RPC traffic in much the same way as the http_decode #
preprocessor.  This plugin takes the ports numbers that RPC 
# services are running on as arguments.
# The RPC decode preprocessor uses generator ID 106 and does not #
generate any SIDs at this time.

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  This preprocessor # uses
the Back Orifice "encryption" algorithm to search for 
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments.  The first is "-nobrute" #
which turns off the plugin's brute forcing routine (brute forces 
# the key space of the protocol to find BO traffic).  The second #
argument that can be passed to the routine is a number to use # as the
default key when trying to decrypt the traffic.  The 
# default value is 31337 (just like BO).  Be aware that turning on # the
brute forcing option runs the risk of impacting the overall #
performance of Snort, you've been warned... # 
# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected

preprocessor bo: -nobrute

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from #
telnet and ftp traffic.  It works in much the same way as the 
# http_decode preprocessor, searching for traffic that breaks up # the
normal data stream of a protocol and replacing it with 
# a normalized representation of that traffic so that the "content" #
pattern matching keyword can work without requiring modifications. #
This preprocessor requires no arguments. # Portscan uses Generator ID
109 and does not generate any SID currently.

preprocessor telnet_decode

# Portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This
preprocessor detects UDP packets or TCP SYN packets going to # four
different ports in less than three seconds. "Stealth" TCP # packets are
always detected, regardless of these settings. # Portscan uses Generator
ID 100 and uses the following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Portscan detect
#   2       Inter-scan info
#   3       Portscan End

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from #
specific networks or hosts to reduce false alerts. It is typical # to
see many false alerts from DNS servers so you may want to # add your DNS
servers here. You can all multiple hosts/networks # in a
whitespace-delimited list. # #preprocessor portscan-ignorehosts: 0.0.0.0

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,

# unicast ARP requests, and specific ARP mapping monitoring.  To make
use # of this preprocessor you must specify the IP and hardware address
of hosts on # the same layer 2 segment as you.  Specify one host IP MAC
combo per line. # Also takes a "-unicast" option to turn on unicast ARP
request detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that
GID:
#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

# ASN1 Decode
#-----------------------------------------
# This is an experimental preprocessor.  ASN.1 decoder and analysis
plugin 
# from Andrew R. Baker.  This preprocessor will detect abuses of the
ASN.1 
# protocol that higher level protocols (like SSL, SNMP, x.509, etc) rely
on. # The ASN.1 decoder uses Generator ID 115 and uses the following
SIDs for 
# that GID:
#  SID     Event description
# -----   -------------------
#   1       Indefinite length
#   2       Invalid length
#   3       Oversized item
#   4       ASN.1 specification violation
#   5       Dataum bad length

# preprocessor asn1_decode

# Fnord 
#-----------------------------------------
# This is an experimental preprocessor.  Polymorphic shellcode analyzer
and # detector by Dragos Ruiu.  This preprocessor will watch traffic for

# polymorphic NOP-type sleds to defeat tools like ADMutate.  The Fnord
detector # uses Generator ID 114 and the following SIDs:
#  SID     Event description
# -----   -------------------
#   1       NOP-sled detected 

# preprocessor fnord

# Conversation
#------------------------------------------
# This preprocessor tracks conversations for tcp, udp and icmp traffic.
It # is a prerequisite for running portscan2. # # allowed_ip_protcols 1
6 17
#      list of allowed ip protcols ( defaults to any )
#
# timeout [num]
#      conversation timeout ( defaults to 60 )
#
#
# max_conversations [num] 
#      number of conversations to support at once (defaults to 65335)
#
#
# alert_odd_protocols
#      alert on protocols not listed in allowed_ip_protocols

preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000

# Portscan2
#-------------------------------------------
# Portscan 2, detect portscans in a new and exciting way.
#
# Available options:
#       scanners_max [num] 
#       targets_max [num]
#       target_limit [num]
#       port_limit [num]
#       timeout [num]
#       log [logdir]

preprocessor portscan2: scanners_max 3200, targets_max 5000,
target_limit 5, port_limit 20, timeout 60

# Experimental Perf stats
# -----------------------
# No docs. Highly subject to change.
# 
# preprocessor perfmonitor: console flow events time 10

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use. #
General configuration for output plugins is of the form: # # output
<name_of_plugin>: <configuration_options> # # alert_syslog: log alerts
to syslog # ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring #
and using this plugin. # output database: log, mysql, user=snort
password=snort dbname=snort host=127.0.0.1 # output database: alert,
postgresql, user=snort dbname=snort # output database: log, unixodbc,
user=snort dbname=snort # output database: log, mssql, dbname=snort
user=snort password=snort

# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring # and
using this plugin. # # output xml: log, file=/var/log/snortxml

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging # and
generating alerts from Snort, the "unified" format.  The # unified
format is a straight binary format for logging data 
# out of Snort that is designed to be fast and efficient.  Used # with
barnyard (the new alert/log processor), most of the overhead # for
logging and alerting to various slow storage mechanisms # such as
databases or the network can now be avoided.  
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

# trap_snmp: SNMP alerting for Snort
# -------------------------------------------------------------
# Read the README.SNMP file for more information on enabling and using
this # plug-in. # #

#The trap_snmp plugin accepts the following notification options #
[c],[p[m|s]] # where,
#     c : Generate compact notifications. (Saves on bandwidth by
#         not reporting MOs for which values are unknown, not
#         available or, not applicable). By default this option is
reset.
#     p : Generate a print of the invariant part of the offending
packet. 
#         This can be used to track the packet across the Internet.
#         By default this option is reset.
#     m : Use the MD5 algorithm to generate the packet print.
#         By default this algorithm is used.
#     s : Use the SHA1 algorithm to generate the packet print.
#
# The trap_snmp plugin requires several parameters 
# The parameters depend on the SNMP version that is used (specified) #
For the SNMPv2c case the parameters will be as follows #  alert,
<sensorID>, [NotificationOptions] , {trap|inform} 
#         -v <SnmpVersion> [-p <portNumber>] -c <community> <hostName> 
#
# For SNMPv2c traps to the standard snmpTrap port# 162 with 
# MD5-digest based packetPrint generation  
#
# output trap_snmp: alert, 7, cpm, trap -v 2c -c myCommunity
myTrapListener 
#
# For SNMPv2c informs with the 'compact' notification option to port 999
# # output trap_snmp: alert, 7, c, inform -v 2c -p 999 -c myCommunity
myTrapListener 
#
#
# For SNMPv3 traps with 
# security name = snortUser 
# security level = authentication and privacy
# authentication parameters :
#           authentication protocol = SHA , 
#           authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters 
#           privacy protocol = DES, 
#           privacy pass phrase = SnortPrivPassword
#
#output trap_snmp: alert, 7, trap -v 3 -u snortUser -l authPriv -a SHA
-A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener #For
SNMPv3 informs with authentication and encryption to myTrapListener 
#on port 999
#output trap_snmp: alert, 7, inform -v 3 -p 999 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener

# You can optionally define new rule types and associate one or 
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump. #
ruletype suspicious # {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";) # # This example will create a rule type that will log to
syslog # and a mysql database. # ruletype redalert # {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE
# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being
LEET"; \
#   flags:A+;)

#
# Include classification & priority settings
#

include classification.config

#
# Include reference systems
#

include reference.config

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org # # The
snort web site has documentation about how to write your own 
# custom snort rules.
#
# The rules included with this distribution generate alerts based on #
on suspicious activity. Depending on your network environment, your #
security policies, and what you consider to be suspicious, some of #
these rules may either generate false positives ore may be detecting #
activity you consider to be acceptable; therefore, you are # encouraged
to comment out rules that are not applicable in your # environment. # #
Note that using all of the rules at the same time may lead to # serious
packet loss on slower machines. YMMV, use with caution, # standard
disclaimers apply. :) # # The following individuals contributed many of
rules in this # distribution. # # Credits:
#   Ron Gula <rgula () securitywizards com> of Network Security Wizards
#   Max Vision <vision () whitehats com>
#   Martin Markgraf <martin () mail du gtn com>
#   Fyodor Yarochkin <fygrave () tigerteam net>
#   Nick Rogness <nick () rapidnet com>
#   Jim Forster <jforster () rapidnet com>
#   Scott McIntyre <scott () whoi edu>
#   Tom Vandepoel <Tom.Vandepoel () ubizen com>
#   Brian Caswell <bmc () snort org>
#   Zeno <admin () cgisecurity com>
#   Ryan Russell <ryan () securityfocus com>
# 
#=========================================
# Include all relevant rulesets here 
# 
# shellcode, policy, info, backdoor, and virus rulesets are 
# disabled by default.  These require tuning and maintance.  
# Please read the included specific file for more information.
#=========================================

include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-iis.rules
include web-frontpage.rules
include web-misc.rules
include web-client.rules
include web-php.rules

include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include oracle.rules
include mysql.rules
include snmp.rules

include smtp.rules
include imap.rules
include pop3.rules
include pop2.rules

include nntp.rules
include other-ids.rules
include web-attacks.rules
include backdoor.rules
include shellcode.rules
include policy.rules
include porn.rules
include info.rules
include icmp-info.rules
include virus.rules
include chat.rules
include multimedia.rules
include p2p.rules
include experimental.rules
include local.rules