Snort mailing list archives
Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc
From: 박종일 <pji5732 () naver com>
Date: Sun, 18 Jan 2015 13:20:34 +0900 (KST)
um.. i edit conf file and local rule however, Like symptoms before setting it
not working logger! unified2 file size is 0 please help me...
------------------snort.lua--------------------------
---------------------------------------------------------------------------
-- Snort++ configuration
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- setup environment
---------------------------------------------------------------------------
-- given:
-- export DIR=/install/path
-- configure --prefix=$DIR
-- make install
--
-- then:
-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/conf/
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- setup the basics
---------------------------------------------------------------------------
require('snort_config') -- for loading
-- Setup the network addresses you are protecting
HOME_NET = '192.168.223.0/24'
-- Set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = '!' .. HOME_NET
conf_dir = os.getenv('SNORT_LUA_PATH')
if ( not conf_dir ) then
conf_dir = '.'
end
dofile(conf_dir .. '/snort_defaults.lua')
dofile(conf_dir .. '/classification.lua')
dofile(conf_dir .. '/reference.lua')
---------------------------------------------------------------------------
-- configure modules
---------------------------------------------------------------------------
--
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- comment or delete to disable mod functionality
--
-- you can also use default_ftp_server and default_wizard
---------------------------------------------------------------------------
--pcap file
--log_pcap = { }
--log_pcap.limit = 0
--log_pcap.units = B
-- uncomment ppm if you built with --enable-ppm
ppm = { }
-- uncomment profile if you built with --enable-perfprofile
--profile = { }
-- uncomment normalizer if you are inline or not --pedantic
--normalizer = { }
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
perf_monitor = { }
perf_monitor.console = true
perf_monitor.file = false
perf_monitor.seconds = 1
perf_monitor.packets = 1
arp_spoof = { }
back_orifice = { }
rpc_decode = { }
port_scan = { }
telnet = { }
-- use http_inspect or new_http_inspect (incomplete)
http_inspect = { }
--new_http_inspect = { }
ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }
wizard = default_wizard
--unified2 & output
alert_fast = { }
unified2 = { }
unified2.limit = 0
unified2.units = B
unified2.nostamp = false
unified2.mpls_event_types = true
unified2.vlan_event_types = true
output = { }
output.verbose = true
output.quiet = false
output.dump_payload = true
output.dump_payload_verbose =ture
---------------------command--------------------------------------
[root@localhost ~]# snort -i eno16777736 -c /usr/local/etc/snort/snort.lua -R /etc/snort/rules -l /var/log/snort/ -K
text -d -v -e
--------------------------------------------------
o")~ Snort++ 3.0.0-a1-130
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
back_orifice
classifications
output
alert_fast
stream_tcp
ftp_data
unified2
ftp_server
http_inspect
telnet
port_scan
rpc_decode
arp_spoof
perf_monitor
stream_ip
stream
ftp_client
stream_icmp
references
stream_udp
wizard
Finished /usr/local/etc/snort/snort.lua.
Loading rules:
Loading /etc/snort/rules:
Finished /etc/snort/rules.
Finished rules.
Wizard
back_orifice
arpspoof configured
Stream5 TCP Policy config:
Reassembly Policy: LAST
Timeout: 30 seconds
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Require 3-Way Handshake: NO
Stream IP config:
Timeout: 60 seconds
Defrag engine config:
engine-based policy: LINUX
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Max frags: 8192
Max overlaps: 0
Min fragment Length: 0
Stream5 ICMP config:
Timeout: 30 seconds
Stream5 UDP config:
Timeout: 30 seconds
Ignore Any -> Any Rules: NO
ftp_client:
Check for Bounce Attacks: OFF
Check for Telnet Cmds: OFF
Ignore Telnet Cmd Operations: OFF
Max Response Length: -1
ftp_server:
Check for Telnet Cmds: ON
Ignore Telnet Cmd Operations: ON
Identify open data channels: YES
Check for Encrypted Traffic: ON
Continue to check encrypted data: NO
HttpInspect Config:
GLOBAL CONFIG
Detect Proxy Usage: NO
IIS Unicode Map Filename: (null)
IIS Unicode Map Codepage: 1252
Memcap used for logging URI and Hostname: 150994944
Max Gzip Memory: 838860
Max Gzip sessions: 5825
Gzip Compress Depth: 65535
Gzip Decompress Depth: 65535
DEFAULT SERVER CONFIG:
Server profile: All
Server Flow Depth: 0
Client Flow Depth: 0
Max Chunk Length: 500000
Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
Max Header Field Length: 750
Max Number Header Fields: 100
Max Number of WhiteSpaces allowed with header folding: 200
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Inspect HTTP Cookies: YES
Inspect HTTP Responses: YES
Unlimited decompression of gzip data from responses: YES
Normalize Javascripts in HTTP Responses: YES
Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
Normalize HTTP Cookies: NO
Enable XFF and True Client IP: NO
Extended ASCII code support in URI: NO
Log HTTP URI data: NO
Log HTTP Hostname data: NO
Extract Gzip from responses: YES
Ascii: OFF
Double Decoding: OFF
%U Encoding: ON
Bare Byte: OFF
UTF 8: OFF
IIS Unicode: OFF
Multiple Slash: OFF
IIS Backslash: OFF
Directory Traversal: OFF
Web Root Traversal: OFF
Apache WhiteSpace: OFF
IIS Delimiter: OFF
IIS Unicode Map: NOT CONFIGURED
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
TELNET CONFIG:
Are You There Threshold: -1
Normalize: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
rpc_decode
Portscan Detection Config:
Detect Protocols:
Detect Scan Type:
Sensitivity Level:
Memcap (in bytes): 1048576
Number of Nodes: 0
PerfMonitor config:
Sample Time: 1 seconds
Packet Count: 1
Max File Size: 2147483647
Base Stats: ACTIVE (SUMMARY)
Base Stats File: INACTIVE
Max Perf Stats: INACTIVE
Flow Stats: INACTIVE (SUMMARY)
Event Stats: INACTIVE (SUMMARY)
Flow IP Stats: INACTIVE (SUMMARY)
Console Mode: ACTIVE
Binder
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] eno16777736
----------------------------------ll /var/log/snort/-----------------------------
[root@localhost ~]# ll /var/log/snort/
total 40
-rw-r--r--. 1 root root 0 Jan 14 02:05 barnyard2.waldo
-rw-------. 1 root root 37516 Jan 15 23:18 log.pcap
-rw-------. 1 root root 0 Jan 15 23:16 unified2log.u2.1421381779
-rw-------. 1 root root 0 Jan 16 01:11 unified2log.u2.1421388663
[root@localhost ~]#
--------------------------------------------rules -------------------------------------
[root@localhost ~]# cat /etc/snort/rules/local.rules
# Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------
# LOCAL RULES
#-------------
alert icmp any any -> any any (msg:"icmp"; itype:8; sid:100000; rev:1;)
alert tcp any any -> any any (msg:"tcp"; sid:"1000001";)
[root@localhost ~]#
---------------------------------------------------------------------------
블로그서명
시작했다면 끝을 보아라
자기소개를 입력하세요.
블로그서명시작했다면 끝을 보아라
자기소개를 입력하세요.
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc 박종일 (Jan 17)
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc 박종일 (Jan 17)
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc Russ Combs (rucombs) (Jan 18)
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc 박종일 (Jan 17)