Snort mailing list archives
Re: snort and squid
From: "Helmut Schneider" <jumper99 () gmx de>
Date: Fri, 18 Jan 2008 20:17:40 +0100
From: "Seth" <sethsec () gmail com>
Did you also add 3128 to the http_inspect preprocessor? ie:
http_inspect_server: server default profile all ports {80 3128}
Yes. Here are the alerts that are logged: (ftp_telnet) FTP command (ftp_telnet) FTP traffic (ftp_telnet) Invalid FTP (http_inspect) NON-RFC DEFINED (http_inspect) OVERSIZE CHUNK (http_inspect) OVERSIZE REQUEST-URI (http_inspect) U ENCODING ICMP Destination Unreachable ICMP PING *NIX ICMP PING BSDtype ICMP PING Windows ICMP PING [**] SHELLCODE x86 NOOP SHELLCODE x86 inc Thats all. No BPF filter, no threshold. [root@proxy ~]# cat /usr/local/etc/snort/snort.conf | grep ^include include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/icmp.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/voip.rules [root@proxy ~]# ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and squid Helmut Schneider (Jan 17)
- Re: snort and squid Paul Melson (Jan 17)
- Re: snort and squid Helmut Schneider (Jan 17)
- Re: snort and squid Joel Esler (Jan 17)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Joel Esler (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Seth (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Paul Melson (Jan 17)