Cannot sense port scans

["RD R" <careergeek () hotmail com>]

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\froman\fcharset0 Times New Roman;}{\f1\fswiss\fcharset0 Arial;}}
{\colortbl ;\red0\green0\blue255;}
\viewkind4\uc1\pard\sb100\sa100\f0\fs24 #--------------------------------------------------\line # \cf1\ul http://www.snort.org <javascript:openwin('http://64.4.36.250/cgi-bin/linkrd?_lang=en&lah=b7bc37b5df9702760ac48055f3a00a39&lat=1096977142&hm___action=http%253a%252f%252fwww%252esnort%252eorg');>\cf0\ulnone  Snort 2.1.0 Ruleset\line # Contact: \cf1\ul snort-sigs () lists sourceforge net </cgi-bin/compose?mailto=1&msg=msg1096896903.14&start=255250&len=36497&src=&type=x&to=snort-sigs()listssourceforgenet&cc=&bcc=&subject=&body=&curmbox=f000000005&a=789cecdb89dc08bd98081e426eba41a4>\cf0\ulnone\line #--------------------------------------------------\line # $Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $\line #\line ###################################################\line # This file contains a sample snort configuration. \line # You can take the following steps to create your own custom configuration:\line #\line # 1) Set the network variables for your network\line # 2) Configure preprocessors\line # 3) Configure output plugins\line # 4) Customize your rule set\line #\line ###################################################\line # Step #1: Set the network variables:\line #\line # You must change the following variables to reflect your local network. The\line # variable is currently setup for an RFC 1918 address space.\line #\line # You can specify it explicitly as: \line #\line # var HOME_NET 10.1.1.0/24\line #\line # or use global variable $<interfacename>_ADDRESS which will be always\line # initialized to IP address and netmask of the network interface which you run\line # snort at. Under Windows, this must be specified as\line # $(<interfacename>_ADDRESS), such as:\line # $(\\Device\\Packet_\{12345678-90AB-CDEF-1234567890AB\}_ADDRESS)\line #\line # var HOME_NET $eth0_ADDRESS\line #\line # You can specify lists of IP addresses for HOME_NET\line # by separating the IPs with commas like this:\line #\line # var HOME_NET [10.1.1.0/24,192.168.1.0/24]\line #\line # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!\line #\line # or you can specify the variable to be any IP address\line # like this: \par
var HOME_NET 192.168.5.0/24 \par
# Set up the external network addresses as well. A good start may be "any"\line var EXTERNAL_NET any \par
# Configure your server lists. This allows snort to only look for attacks to\line # systems that have a service up. Why look for HTTP attacks if you are not\line # running a web server? This allows quick filtering based on IP addresses\line # These configurations MUST follow the same configuration scheme as defined\line # above for $HOME_NET. \par
# List of DNS servers on your network \line var DNS_SERVERS $HOME_NET \par
# List of SMTP servers on your network\line var SMTP_SERVERS $HOME_NET \par
# List of web servers on your network\line var HTTP_SERVERS $HOME_NET \par
# List of sql servers on your network \line var SQL_SERVERS $HOME_NET \par
# List of telnet servers on your network\line var TELNET_SERVERS $HOME_NET \par
# List of snmp servers on your network\line var SNMP_SERVERS $HOME_NET \par
# Configure your service ports. This allows snort to look for attacks destined\line # to a specific application only on the ports that application runs on. For\line # example, if you run a web server on port 8081, set your HTTP_PORTS variable\line # like this:\line #\line # var HTTP_PORTS 8081\line #\line # Port lists must either be continuous [eg 80:8080], or a single port [eg 80].\line # We will adding support for a real list of ports in the future. \par
# Ports you run web servers on\line #\line # Please note: [80,8080] does not work.\line # If you wish to define multiple HTTP ports,\line # \line ## var HTTP_PORTS 80 \line ## include somefile.rules \line ## var HTTP_PORTS 8080\line ## include somefile.rules \line var HTTP_PORTS 80 \par
# Ports you want to look for SHELLCODE on.\line var SHELLCODE_PORTS !80 \par
# Ports you do oracle attacks on\line var ORACLE_PORTS 1521 \par
# other variables\line # \line # AIM servers. AOL has a habit of adding new AIM servers, so instead of\line # modifying the signatures when they do, we add them to this list of servers.\line var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] \par
# Path to your rules files (this can be a relative path)\line # Note for Windows users: You are advised to make this an absolute path,\line # such as: c:\\snort\\rules\line var RULE_PATH c:\\snort\\rules \par
# Configure the snort decoder\line # ============================\line #\line # Snort's decoder will alert on lots of things such as header\line # truncation or options of unusual length or infrequently used tcp options\line #\line #\line # Stop generic decode events:\line #\line # config disable_decode_alerts\line #\line # Stop Alerts on experimental TCP options\line #\line # config disable_tcpopt_experimental_alerts\line #\line # Stop Alerts on obsolete TCP options\line #\line # config disable_tcpopt_obsolete_alerts\line #\line # Stop Alerts on T/TCP alerts\line #\line # In snort 2.0.1 and above, this only alerts when a TCP option is detected\line # that shows T/TCP being actively used on the network. If this is normal\line # behavior for your network, disable the next option.\line #\line # config disable_tcpopt_ttcp_alerts\line #\line # Stop Alerts on all other TCPOption type events:\line #\line # config disable_tcpopt_alerts\line #\line # Stop Alerts on invalid ip options\line #\line # config disable_ipopt_alerts \par
# Configure the detection engine\line # ===============================\line #\line # Use a different pattern matcher in case you have a machine with very limited\line # resources:\line #\line # config detection: search-method lowmem \par
###################################################\line # Step #2: Configure preprocessors\line #\line # General configuration for preprocessors is of \line # the form\line # preprocessor <name_of_processor>: <configuration_options> \par
# Configure Flow tracking module\line # -------------------------------\line #\line # The Flow tracking module is meant to start unifying the state keeping\line # mechanisms of snort into a single place. Right now, only a portscan detector\line # is implemented but in the long term, many of the stateful subsystems of\line # snort will be migrated over to becoming flow plugins. This must be enabled\line # for flow-portscan to work correctly.\line #\line # See README.flow for additional information\line #\line preprocessor flow: stats_interval 0 hash 2 \par
# frag2: IP defragmentation support\line # -------------------------------\line # This preprocessor performs IP defragmentation. This plugin will also detect\line # people launching fragmentation attacks (usually DoS) against hosts. No\line # arguments loads the default configuration of the preprocessor, which is a 60\line # second timeout and a 4MB fragment buffer. \par
# The following (comma delimited) options are available for frag2\line # timeout [seconds] - sets the number of [seconds] that an unfinished \line # fragment will be kept around waiting for completion,\line # if this time expires the fragment will be flushed\line # memcap [bytes] - limit frag2 memory usage to [number] bytes\line # (default: 4194304)\line #\line # min_ttl [number] - minimum ttl to accept\line # \line # ttl_limit [number] - difference of ttl to accept without alerting\line # will cause false positves with router flap\line # \line # Frag2 uses Generator ID 113 and uses the following SIDS \line # for that GID:\line # SID Event description\line # ----- -------------------\line # 1 Oversized fragment (reassembled frag > 64k bytes)\line # 2 Teardrop-type attack \par
preprocessor frag2 \par
# stream4: stateful inspection/stream reassembly for Snort\line #----------------------------------------------------------------------\line # Use in concert with the -z [all|est] command line switch to defeat stick/snot\line # against TCP rules. Also performs full TCP stream reassembly, stateful\line # inspection of TCP streams, etc. Can statefully detect various portscan\line # types, fingerprinting, ECN, etc. \par
# stateful inspection directive\line # no arguments loads the defaults (timeout 30, memcap 8388608)\line # options (options are comma delimited):\line # detect_scans - stream4 will detect stealth portscans and generate alerts\line # when it sees them when this option is set\line # detect_state_problems - detect TCP state problems, this tends to be very\line # noisy because there are a lot of crappy ip stack\line # implementations out there\line #\line # disable_evasion_alerts - turn off the possibly noisy mitigation of\line # overlapping sequences.\line #\line #\line # min_ttl [number] - set a minium ttl that snort will accept to\line # stream reassembly\line #\line # ttl_limit [number] - differential of the initial ttl on a session versus\line # the normal that someone may be playing games.\line # Routing flap may cause lots of false positives.\line # \line # keepstats [machine|binary] - keep session statistics, add "machine" to \line # get them in a flat format for machine reading, add\line # "binary" to get them in a unified binary output \line # format\line # noinspect - turn off stateful inspection only\line # timeout [number] - set the session timeout counter to [number] seconds,\line # default is 30 seconds\line # memcap [number] - limit stream4 memory usage to [number] bytes\line # log_flushed_streams - if an event is detected on a stream this option will\line # cause all packets that are stored in the stream4\line # packet buffers to be flushed to disk. This only \line # works when logging in pcap mode!\line #\line # Stream4 uses Generator ID 111 and uses the following SIDS \line # for that GID:\line # SID Event description\line # ----- -------------------\line # 1 Stealth activity\line # 2 Evasive RST packet\line # 3 Evasive TCP packet retransmission\line # 4 TCP Window violation\line # 5 Data on SYN packet\line # 6 Stealth scan: full XMAS\line # 7 Stealth scan: SYN-ACK-PSH-URG\line # 8 Stealth scan: FIN scan\line # 9 Stealth scan: NULL scan\line # 10 Stealth scan: NMAP XMAS scan\line # 11 Stealth scan: Vecna scan\line # 12 Stealth scan: NMAP fingerprint scan stateful detect\line # 13 Stealth scan: SYN-FIN scan\line # 14 TCP forward overlap \par
preprocessor stream4: detect_scans \par
# tcp stream reassembly directive\line # no arguments loads the default configuration \line # Only reassemble the client,\line # Only reassemble the default list of ports (See below), \line # Give alerts for "bad" streams\line #\line # Available options (comma delimited):\line # clientonly - reassemble traffic for the client side of a connection only\line # serveronly - reassemble traffic for the server side of a connection only\line # both - reassemble both sides of a session\line # noalerts - turn off alerts from the stream reassembly stage of stream4\line # ports [list] - use the space separated list of ports in [list], "all" \line # will turn on reassembly for all ports, "default" will turn\line # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111\line # and 513 \par
preprocessor stream4_reassemble \par
# http_inspect: normalize and detect HTTP traffic and protocol anomalies\line #\line # lots of options available here. See doc/README.http_inspect.\line # unicode.map should be wherever your snort.conf lives, or given\line # a full path to where snort can find it.\line preprocessor http_inspect: global \\\line iis_unicode_map unicode.map 1252 \par
preprocessor http_inspect_server: server default \\\line profile all ports \{ 80 8080 8180 \} oversize_dir_length 500 \par
#\line # Example unqiue server configuration\line #\line #preprocessor http_inspect_server: server 1.1.1.1 \\\line # ports \{ 80 3128 8080 \} \\\line # flow_depth 0 \\\line # ascii no \\\line # double_decode yes \\\line # non_rfc_char \{ 0x00 \} \\\line # chunk_length 500000 \\\line # non_strict \\\line # oversize_dir_length 300 \\\line # no_alerts \par
\line # rpc_decode: normalize RPC traffic\line # ---------------------------------\line # RPC may be sent in alternate encodings besides the usual 4-byte encoding\line # that is used by default. This plugin takes the port numbers that RPC\line # services are running on as arguments - it is assumed that the given ports\line # are actually running this type of service. If not, change the ports or turn\line # it off.\line # The RPC decode preprocessor uses generator ID 106\line #\line # arguments: space separated list\line # alert_fragments - alert on any rpc fragmented TCP data\line # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet\line # no_alert_large_fragments - don't alert when the fragmented\line # sizes exceed the current packet size\line # no_alert_incomplete - don't alert when a single segment\line # exceeds the current packet size \par
preprocessor rpc_decode: 111 32771 \par
# bo: Back Orifice detector\line # -------------------------\line # Detects Back Orifice traffic on the network. Takes no arguments in 2.0.\line # \line # The Back Orifice detector uses Generator ID 105 and uses the \line # following SIDS for that GID:\line # SID Event description\line # ----- -------------------\line # 1 Back Orifice traffic detected \par
preprocessor bo \par
# telnet_decode: Telnet negotiation string normalizer\line # ---------------------------------------------------\line # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp\line # traffic. It works in much the same way as the http_decode preprocessor,\line # searching for traffic that breaks up the normal data stream of a protocol and\line # replacing it with a normalized representation of that traffic so that the\line # "content" pattern matching keyword can work without requiring modifications.\line # This preprocessor requires no arguments.\line # Portscan uses Generator ID 109 and does not generate any SID currently. \par
preprocessor telnet_decode \par
# Flow-Portscan: detect a variety of portscans\line # ---------------------------------------\line # Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to\line # work.\line #\line # This module detects portscans based off of flow creation in the flow\line # preprocessors. The goal is to catch one->many hosts and one->many\line # ports scans.\line #\line # Flow-Portscan has numerous options available, please read\line # README.flow-portscan for help configuring this option. \par
# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:\line # SID Event description\line # ----- -------------------\line # 1 flow-portscan: Fixed Scale Scanner Limit Exceeded\line # 2 flow-portscan: Sliding Scale Scanner Limit Exceeded \line # 3 flow-portscan: Fixed Scale Talker Limit Exceeded\line # 4 flow-portscan: Sliding Scale Talker Limit Exceeded \par
preprocessor flow-portscan: \\\line talker-sliding-scale-factor 0.50 \\\line talker-fixed-threshold 30 \\\line talker-sliding-threshold 30 \\\line talker-sliding-window 20 \\\line talker-fixed-window 30 \\\line scoreboard-rows-talker 30000 \\\line server-watchnet [10.2.0.0/30] \\\line server-ignore-limit 200 \\\line server-rows 65535 \\\line server-learning-time 14400 \\\line server-scanner-limit 4 \\\line scanner-sliding-window 20 \\\line scanner-sliding-scale-factor 0.50 \\\line scanner-fixed-threshold 15 \\\line scanner-sliding-threshold 40 \\\line scanner-fixed-window 15 \\\line scoreboard-rows-scanner 30000 \\\line src-ignore-net [192.168.1.1/32,192.168.0.0/24] \\\line dst-ignore-net [10.0.0.0/30] \\\line alert-mode once \\\line output-mode msg \\\line tcp-penalties on \par
# arpspoof\line #----------------------------------------\line # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,\line # unicast ARP requests, and specific ARP mapping monitoring. To make use of\line # this preprocessor you must specify the IP and hardware address of hosts on\line # the same layer 2 segment as you. Specify one host IP MAC combo per line.\line # Also takes a "-unicast" option to turn on unicast ARP request detection. \line # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: \par
# SID Event description\line # ----- -------------------\line # 1 Unicast ARP request\line # 2 Etherframe ARP mismatch (src)\line # 3 Etherframe ARP mismatch (dst)\line # 4 ARP cache overwrite attack \par
#preprocessor arpspoof\line #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 \par
\line # Performance Statistics\line # ----------------------\line # Documentation for this is provided in the Snort Manual. You should read it.\line # It is included in the release distribution as doc/snort_manual.pdf\line # \line # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 \par
####################################################################\line # Step #3: Configure output plugins\line #\line # Uncomment and configure the output plugins you decide to use. General\line # configuration for output plugins is of the form:\line #\line # output <name_of_plugin>: <configuration_options>\line #\line # alert_syslog: log alerts to syslog\line # ----------------------------------\line # Use one or more syslog facilities as arguments. Win32 can also optionally\line # specify a particular hostname/port. Under Win32, the default hostname is\line # '127.0.0.1', and the default port is 514.\line #\line # [Unix flavours should use this format...]\line # output alert_syslog: LOG_AUTH LOG_ALERT\line #\line # [Win32 can use any of these formats...]\line # output alert_syslog: LOG_AUTH LOG_ALERT\line # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT\line # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT \par
# log_tcpdump: log packets in binary tcpdump format\line # -------------------------------------------------\line # The only argument is the output file name.\line #\line # output log_tcpdump: tcpdump.log \par
# database: log to a variety of databases\line # ---------------------------------------\line # See the README.database file for more information about configuring\line # and using this plugin.\line #\line output database: alert, mysql, user=root password=xxxx dbname=snort_db host=localhost\line # output database: alert, postgresql, user=snort dbname=snort\line # output database: log, odbc, user=snort dbname=snort\line # output database: log, mssql, dbname=snort user=snort password=test\line # output database: log, oracle, dbname=snort user=snort password=test \par
# unified: Snort unified binary format alerting and logging\line # -------------------------------------------------------------\line # The unified output plugin provides two new formats for logging and generating\line # alerts from Snort, the "unified" format. The unified format is a straight\line # binary format for logging data out of Snort that is designed to be fast and\line # efficient. Used with barnyard (the new alert/log processor), most of the\line # overhead for logging and alerting to various slow storage mechanisms such as\line # databases or the network can now be avoided. \line #\line # Check out the spo_unified.h file for the data formats.\line #\line # Two arguments are supported.\line # filename - base filename to write to (current time_t is appended)\line # limit - maximum size of spool file in MB (default: 128)\line #\line # output alert_unified: filename snort.alert, limit 128\line # output log_unified: filename snort.log, limit 128 \par
# You can optionally define new rule types and associate one or more output\line # plugins specifically to that type.\line #\line # This example will create a type that will log to just tcpdump.\line # ruletype suspicious\line # \{\line # type log\line # output log_tcpdump: suspicious.log\line # \}\line #\line # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:\line # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)\line #\line # This example will create a rule type that will log to syslog and a mysql\line # database:\line # ruletype redalert\line # \{\line # type alert\line # output alert_syslog: LOG_AUTH LOG_ALERT\line # output database: log, mysql, user=snort dbname=snort host=localhost\line # \}\line #\line # EXAMPLE RULE FOR REDALERT RULETYPE:\line # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \\\line # (msg:"Someone is being LEET"; flags:A+;) \par
#\line # Include classification & priority settings\line # Note for Windows users: You are advised to make this an absolute path,\line # such as: c:\\snort\\etc\\classification.config\line # \par
include c:\\snort\\etc\\classification.config \par
#\line # Include reference systems\line # Note for Windows users: You are advised to make this an absolute path,\line # such as: c:\\snort\\etc\\reference.config\line # \par
include c:\\snort\\etc\\reference.config \par
####################################################################\line # Step #4: Customize your rule set\line #\line # Up to date snort rules are available at \cf1\ul http://www.snort.org <javascript:openwin('http://64.4.36.250/cgi-bin/linkrd?_lang=en&lah=b7bc37b5df9702760ac48055f3a00a39&lat=1096977142&hm___action=http%253a%252f%252fwww%252esnort%252eorg');>\cf0\ulnone\line #\line # The snort web site has documentation about how to write your own custom snort\line # rules.\line #\line # The rules included with this distribution generate alerts based on on\line # suspicious activity. Depending on your network environment, your security\line # policies, and what you consider to be suspicious, some of these rules may\line # either generate false positives ore may be detecting activity you consider to\line # be acceptable; therefore, you are encouraged to comment out rules that are\line # not applicable in your environment.\line #\line # The following individuals contributed many of rules in this distribution.\line #\line # Credits:\line # Ron Gula <\cf1\ulrgula()securitywizardscom of Network Security Wizards\line # Max Vision <\cf1\ulvision()whitehatscom\line # Martin Markgraf <\cf1\ulmartin()maildugtncom\line # Fyodor Yarochkin <\cf1\ulfygrave()tigerteamnet\line # Nick Rogness <\cf1\ulnick()rapidnetcom\line # Jim Forster <\cf1\uljforster()rapidnetcom\line # Scott McIntyre <\cf1\ulscott()whoiedu\line # Tom Vandepoel <\cf1\ultom.vandepoel()ubizencom\line # Brian Caswell <\cf1\ulbmc()snortorg\line # Zeno <\cf1\uladmin()cgisecuritycom\line # Ryan Russell <\cf1\ulryan()securityfocuscom \par
#=========================================\line # Include all relevant rulesets here \line # \line # The following rulesets are disabled by default:\line #\line # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,\line # chat, multimedia, and p2p\line # \line # These rules are either site policy specific or require tuning in order to not\line # generate false positive alerts in most enviornments.\line # \line # Please read the specific include file for more information and\line # README.alert_order for how rule ordering affects how alerts are triggered.\line #========================================= \par
include $RULE_PATH/local.rules\line include $RULE_PATH/bad-traffic.rules\line include $RULE_PATH/exploit.rules\line include $RULE_PATH/scan.rules\line include $RULE_PATH/finger.rules\line include $RULE_PATH/ftp.rules\line include $RULE_PATH/telnet.rules\line include $RULE_PATH/rpc.rules\line include $RULE_PATH/rservices.rules\line include $RULE_PATH/dos.rules\line include $RULE_PATH/ddos.rules\line include $RULE_PATH/dns.rules\line include $RULE_PATH/tftp.rules \par
include $RULE_PATH/web-cgi.rules\line include $RULE_PATH/web-coldfusion.rules\line include $RULE_PATH/web-iis.rules\line include $RULE_PATH/web-frontpage.rules\line include $RULE_PATH/web-misc.rules\line include $RULE_PATH/web-client.rules\line include $RULE_PATH/web-php.rules \par
include $RULE_PATH/sql.rules\line include $RULE_PATH/x11.rules\line include $RULE_PATH/icmp.rules\line include $RULE_PATH/netbios.rules\line include $RULE_PATH/misc.rules\line include $RULE_PATH/attack-responses.rules\line include $RULE_PATH/oracle.rules\line include $RULE_PATH/mysql.rules\line include $RULE_PATH/snmp.rules \par
include $RULE_PATH/smtp.rules\line include $RULE_PATH/imap.rules\line include $RULE_PATH/pop2.rules\line include $RULE_PATH/pop3.rules \par
include $RULE_PATH/nntp.rules\line include $RULE_PATH/other-ids.rules\line # include $RULE_PATH/web-attacks.rules\line # include $RULE_PATH/backdoor.rules\line # include $RULE_PATH/shellcode.rules\line # include $RULE_PATH/policy.rules\line # include $RULE_PATH/porn.rules\line # include $RULE_PATH/info.rules\line # include $RULE_PATH/icmp-info.rules\line include $RULE_PATH/virus.rules\line # include $RULE_PATH/chat.rules\line # include $RULE_PATH/multimedia.rules\line # include $RULE_PATH/p2p.rules\line include $RULE_PATH/experimental.rules \par
# Include any thresholding or suppression commands. See threshold.conf in the\line # <snortsrc>/etc directory for details. Commands don't necessarily need to be\line # contained in this conf, but a separate conf makes it easier to maintain them. \line # Note for Windows users: You are advised to make this an absolute path,\line # such as: c:\\snort\\etc\\threshold.conf\line # Uncomment if needed.\line # include threshold.conf\line\par
\pard\f1\fs20\par
}