Snort mailing list archives
question policy default snort
From: Ricardo Barbosa <ricardobarbosams () yahoo com br>
Date: Mon, 05 Apr 2010 00:47:33 -0400
Hi, I set up a firewall with snort inline bridge mode and am using the following configuration and firewall rule for level test. ---- snort.conf ----- var HOME_NET [192.168.1.0/24] var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,2 05.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH /etc/snort/preproc_rules config disable_ipopt_alerts config enable_decode_oversized_alerts config enable_decode_oversized_drops dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } preprocessor dcerpc2 preprocessor dcerpc2_server: default preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted, trustservers output alert_syslog: log_local7 log_debug output log_tcpdump: tcpdump.log include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/ftp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/dos.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-iis.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/icmp.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/mysql.rules include $RULE_PATH/community-ftp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/community-sip.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/experimental.rules include $RULE_PATH/users.rules include threshold.conf --- iptables rules ---- iptables -t filter -I FORWARD -j QUEUE The firewall is in bridge mode. I mounted the bridge using the following commands. ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig eth0 arp ifconfig eth1 arp brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 After setup I tried to access via terminal service but the connection does not work. I did the command "tail-f" in file alert and nothing and there is some political pattern generated snort to block traffic that does not match? Regards. __________________________________________________ Faça ligações para outros computadores com o novo Yahoo! Messenger http://br.beta.messenger.yahoo.com/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question policy default snort Ricardo Barbosa (Apr 04)
- Re: question policy default snort Alex Kirk (Apr 05)