Snort mailing list archives
Another question...
From: Joshua McDowell <joshmia2001 () yahoo com>
Date: Sun, 11 Jan 2004 13:10:07 -0800 (PST)
Please bear with me, for the origional problem that
I had still isn't solved. It will not ad UDP entries
into the database or port scans. I found a goofy
little hidden option in the main acid config that
wanted to know where the portscan log was. I pointed
it there and it still won't pick those up. I have
pasted my snort.conf into this e-mail. Keep in mind
it's "FRESH" again so I have made little changes.
Thanks,
Joshua
#--------------------------------------------------
# http://www.snort.org Snort 2.1.0 Ruleset
# Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp
$
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your own
custom configuration:
#
# 1) Set the network variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
your local network. The
# variable is currently setup for an RFC 1918 address
space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS
which will be always
# initialized to IP address and netmask of the network
interface which you run
# snort at. Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
#
$(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
var EXTERNAL_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
var HOME_NET 192.168.1.0/24
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
#var HOME_NET any
# Set up the external network addresses as well. A
good start may be "any"
#var EXTERNAL_NET any
# Configure your server lists. This allows snort to
only look for attacks to
# systems that have a service up. Why look for HTTP
attacks if you are not
# running a web server? This allows quick filtering
based on IP addresses
# These configurations MUST follow the same
configuration scheme as defined
# above for $HOME_NET.
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
# Configure your service ports. This allows snort to
look for attacks destined
# to a specific application only on the ports that
application runs on. For
# example, if you run a web server on port 8081, set
your HTTP_PORTS variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080],
or a single port [eg 80].
# We will adding support for a real list of ports in
the future.
# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
# other variables
#
# AIM servers. AOL has a habit of adding new AIM
servers, so instead of
# modifying the signatures when they do, we add them
to this list of servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
# Path to your rules files (this can be a relative
path)
var RULE_PATH /etc/snort/rules
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as
header
# truncation or options of unusual length or
infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when the
a TCP option is detected
# that shows T/TCP being actively used on the network.
If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a
machine with very limited
# resources:
#
# config detection: search-method lowmem
###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>:
<configuration_options>
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying
the state keeping
# mechanisms of snort into a single place. Right now,
only a portscan detector
# is implemented but in the long term, many of the
stateful subsystems of
# snort will be migrated over to becoming flow
plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2
# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation. This
plugin will also detect
# people launching fragmentation attacks (usually DoS)
against hosts. No
# arguments loads the default configuration of the
preprocessor, which is a 60
# second timeout and a 4MB fragment buffer.
# The following (comma delimited) options are
available for frag2
# timeout [seconds] - sets the number of [seconds]
than an unfinished
# fragment will be kept around
waiting for completion,
# if this time expires the
fragment will be flushed
# memcap [bytes] - limit frag2 memory usage to
[number] bytes
# (default: 4194304)
#
# min_ttl [number] - minimum ttl to accept
#
# ttl_limit [number] - difference of ttl to accept
without alerting
# will cause false positves
with router flap
#
# Frag2 uses Generator ID 113 and uses the following
SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Oversized fragment (reassembled frag > 64k
bytes)
# 2 Teardrop-type attack
preprocessor frag2
# stream4: stateful inspection/stream reassembly for
Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line
switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream
reassembly, stateful
# inspection of TCP streams, etc. Can statefully
detect various portscan
# types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap
8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth
portscans and generate alerts
# when it sees them when this option
is set
# detect_state_problems - detect TCP state problems,
this tends to be very
# noisy because there are a
lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly
noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that
snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the
initial ttl on a session versus
# the normal that someone
may be playing games.
# Routing flap may cause
lots of false positives.
#
# keepstats [machine|binary] - keep session
statistics, add "machine" to
# get them in a flat format
for machine reading, add
# "binary" to get them in a
unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter
to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to
[number] bytes
# log_flushed_streams - if an event is detected on a
stream this option will
# cause all packets that are
stored in the stream4
# packet buffers to be flushed
to disk. This only
# works when logging in pcap
mode!
#
# Stream4 uses Generator ID 111 and uses the following
SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan
stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: disable_evasion_alerts
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See
below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client
side of a connection only
# serveronly - reassemble traffic for the server
side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream
reassembly stage of stream4
# ports [list] - use the space separated list of
ports in [list], "all"
# will turn on reassembly for all
ports, "default" will turn
# on reassembly for ports 21, 23, 25,
53, 80, 143, 110, 111
# and 513
preprocessor stream4_reassemble: both, ports [all]
# http_inspect: normalize and detect HTTP traffic and
protocol anomalies
#
# lots of options available here. See
doc/README.http_inspect.
# unicode.map should be wherever your snort.conf
lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all \
ports { 80 8080 }
#
# Example unqiue server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
# ports { 80 3128 8080 } \
# flow_depth 0 \
# ascii no \
# double_decode yes \
# non_rfc_char { 0x00 } \
# chunk_length 500000 \
# non_strict \
# no_alerts
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the
usual 4-byte encoding
# that is used by default. This plugin takes the port
numbers that RPC
# services are running on as arguments - it is assumed
that the given ports
# are actually running this type of service. If not,
change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP
data
# no_alert_multiple_requests - don't alert when >1 rpc
query is in a packet
# no_alert_large_fragments - don't alert when the
fragmented
# sizes exceed the current
packet size
# no_alert_incomplete - don't alert when a single
segment
# exceeds the current packet
size
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. Takes
no arguments in 2.0.
#
# The Back Orifice detector uses Generator ID 105 and
uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
preprocessor bo
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation
strings from telnet and ftp
# traffic. It works in much the same way as the
http_decode preprocessor,
# searching for traffic that breaks up the normal data
stream of a protocol and
# replacing it with a normalized representation of
that traffic so that the
# "content" pattern matching keyword can work without
requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate
any SID currently.
preprocessor telnet_decode
# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
# Note: The Flow preprocessor (above) must first be
enabled for Flow-Portscan to
# work.
#
# This module detects portscans based off of flow
creation in the flow
# preprocessors. The goal is to catch catch one->many
hosts and one->many
# ports scans.
#
# Flow-Portscan has numerous options available, please
read
# README.flow-portscan for help configuring this
option.
# Flow-Portscan uses Generator ID 121 and uses the
following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 flow-portscan: Fixed Scale Scanner Limit
Exceeded
# 2 flow-portscan: Sliding Scale Scanner Limit
Exceeded
# 3 flow-portscan: Fixed Scale Talker Limit
Exceeded
# 4 flow-portscan: Sliding Scale Talker Limit
Exceeded
preprocessor flow-portscan: \
talker-sliding-scale-factor 0.50 \
talker-fixed-threshold 30 \
talker-sliding-threshold 30 \
talker-sliding-window 20 \
talker-fixed-window 30 \
scoreboard-rows-talker 30000 \
server-watchnet [10.2.0.0/30] \
server-ignore-limit 200 \
server-rows 65535 \
server-learning-time 14400 \
server-scanner-limit 4 \
scanner-sliding-window 20 \
scanner-sliding-scale-factor 0.50 \
scanner-fixed-threshold 15 \
scanner-sliding-threshold 40 \
scanner-fixed-window 15 \
scoreboard-rows-scanner 30000 \
src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
dst-ignore-net [10.0.0.0/30] \
alert-mode once \
output-mode msg \
tcp-penalties on
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan,
detects ARP attacks,
# unicast ARP requests, and specific ARP mapping
monitoring. To make use of
# this preprocessor you must specify the IP and
hardware address of hosts on
# the same layer 2 segment as you. Specify one host
IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast
ARP request detection.
# Arpspoof uses Generator ID 112 and uses the
following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Unicast ARP request
# 2 Etherframe ARP mismatch (src)
# 3 Etherframe ARP mismatch (dst)
# 4 ARP cache overwrite attack
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1
f0:0f:00:f0:0f:00
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort
Manual. You should read it.
# It is included in the release distribution as
doc/snort_manual.pdf
#
# preprocessor perfmonitor: console flow events time
10
####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you
decide to use. General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.
Win32 can also optionally
# specify a particular hostname/port. Under Win32,
the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH
LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH
LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information
about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test
dbname=db host=localhost
# output database: alert, postgresql, user=snort
dbname=snort
# output database: log, unixodbc, user=snort
dbname=snort
# output database: log, mssql, dbname=snort user=snort
password=test
# unified: Snort unified binary format alerting and
logging
#
-------------------------------------------------------------
# The unified output plugin provides two new formats
for logging and generating
# alerts from Snort, the "unified" format. The
unified format is a straight
# binary format for logging data out of Snort that is
designed to be fast and
# efficient. Used with barnyard (the new alert/log
processor), most of the
# overhead for logging and alerting to various slow
storage mechanisms such as
# databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data
formats.
#
# Two arguments are supported.
# filename - base filename to write to (current
time_t is appended)
# limit - maximum size of spool file in MB
(default: 128)
#
# output alert_unified: filename snort.alert, limit
128
# output log_unified: filename snort.log, limit 128
# You can optionally define new rule types and
associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to
just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667
(msg:"Internal IRC Server";)
#
# This example will create a rule type that will log
to syslog and a mysql
# database:
# ruletype redalert
# {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort
dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
# (msg:"Someone is being LEET"; flags:A+;)
#
# Include classification & priority settings
#
include classification.config
#
# Include reference systems
#
include reference.config
####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at
http://www.snort.org
#
# The snort web site has documentation about how to
write your own custom snort
# rules.
#
# The rules included with this distribution generate
alerts based on on
# suspicious activity. Depending on your network
environment, your security
# policies, and what you consider to be suspicious,
some of these rules may
# either generate false positives ore may be detecting
activity you consider to
# be acceptable; therefore, you are encouraged to
comment out rules that are
# not applicable in your environment.
#
# The following individuals contributed many of rules
in this distribution.
#
# Credits:
# Ron Gula <rgula () securitywizards com> of Network
Security Wizards
# Max Vision <vision () whitehats com>
# Martin Markgraf <martin () mail du gtn com>
# Fyodor Yarochkin <fygrave () tigerteam net>
# Nick Rogness <nick () rapidnet com>
# Jim Forster <jforster () rapidnet com>
# Scott McIntyre <scott () whoi edu>
# Tom Vandepoel <Tom.Vandepoel () ubizen com>
# Brian Caswell <bmc () snort org>
# Zeno <admin () cgisecurity com>
# Ryan Russell <ryan () securityfocus com>
#=========================================
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
# web-attacks, backdoor, shellcode, policy, porn,
info, icmp-info, virus,
# chat, multimedia, and p2p
#
# These rules are either site policy specific or
require tuning in order to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more
information and
# README.alert_order for how rule ordering affects how
alerts are triggered.
#=========================================
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands
include threshold.conf
__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Another question... Joshua McDowell (Jan 11)