Snort mailing list archives
Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc
From: 박종일 <pji5732 () naver com>
Date: Sun, 18 Jan 2015 13:20:34 +0900 (KST)
um.. i edit conf file and local rule however, Like symptoms before setting it not working logger! unified2 file size is 0 please help me... ------------------snort.lua-------------------------- --------------------------------------------------------------------------- -- Snort++ configuration --------------------------------------------------------------------------- --------------------------------------------------------------------------- -- setup environment --------------------------------------------------------------------------- -- given: -- export DIR=/install/path -- configure --prefix=$DIR -- make install -- -- then: -- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\; -- export SNORT_LUA_PATH=$DIR/conf/ --------------------------------------------------------------------------- --------------------------------------------------------------------------- -- setup the basics --------------------------------------------------------------------------- require('snort_config') -- for loading -- Setup the network addresses you are protecting HOME_NET = '192.168.223.0/24' -- Set up the external network addresses. -- (leave as "any" in most situations) EXTERNAL_NET = '!' .. HOME_NET conf_dir = os.getenv('SNORT_LUA_PATH') if ( not conf_dir ) then conf_dir = '.' end dofile(conf_dir .. '/snort_defaults.lua') dofile(conf_dir .. '/classification.lua') dofile(conf_dir .. '/reference.lua') --------------------------------------------------------------------------- -- configure modules --------------------------------------------------------------------------- -- -- mod = { } uses internal defaults -- you can see them with snort --help-module mod -- comment or delete to disable mod functionality -- -- you can also use default_ftp_server and default_wizard --------------------------------------------------------------------------- --pcap file --log_pcap = { } --log_pcap.limit = 0 --log_pcap.units = B -- uncomment ppm if you built with --enable-ppm ppm = { } -- uncomment profile if you built with --enable-perfprofile --profile = { } -- uncomment normalizer if you are inline or not --pedantic --normalizer = { } stream = { } stream_ip = { } stream_icmp = { } stream_tcp = { } stream_udp = { } perf_monitor = { } perf_monitor.console = true perf_monitor.file = false perf_monitor.seconds = 1 perf_monitor.packets = 1 arp_spoof = { } back_orifice = { } rpc_decode = { } port_scan = { } telnet = { } -- use http_inspect or new_http_inspect (incomplete) http_inspect = { } --new_http_inspect = { } ftp_server = default_ftp_server ftp_client = { } ftp_data = { } wizard = default_wizard --unified2 & output alert_fast = { } unified2 = { } unified2.limit = 0 unified2.units = B unified2.nostamp = false unified2.mpls_event_types = true unified2.vlan_event_types = true output = { } output.verbose = true output.quiet = false output.dump_payload = true output.dump_payload_verbose =ture ---------------------command-------------------------------------- [root@localhost ~]# snort -i eno16777736 -c /usr/local/etc/snort/snort.lua -R /etc/snort/rules -l /var/log/snort/ -K text -d -v -e -------------------------------------------------- o")~ Snort++ 3.0.0-a1-130 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: back_orifice classifications output alert_fast stream_tcp ftp_data unified2 ftp_server http_inspect telnet port_scan rpc_decode arp_spoof perf_monitor stream_ip stream ftp_client stream_icmp references stream_udp wizard Finished /usr/local/etc/snort/snort.lua. Loading rules: Loading /etc/snort/rules: Finished /etc/snort/rules. Finished rules. Wizard back_orifice arpspoof configured Stream5 TCP Policy config: Reassembly Policy: LAST Timeout: 30 seconds Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Require 3-Way Handshake: NO Stream IP config: Timeout: 60 seconds Defrag engine config: engine-based policy: LINUX Fragment timeout: 60 seconds Fragment min_ttl: 1 Max frags: 8192 Max overlaps: 0 Min fragment Length: 0 Stream5 ICMP config: Timeout: 30 seconds Stream5 UDP config: Timeout: 30 seconds Ignore Any -> Any Rules: NO ftp_client: Check for Bounce Attacks: OFF Check for Telnet Cmds: OFF Ignore Telnet Cmd Operations: OFF Max Response Length: -1 ftp_server: Check for Telnet Cmds: ON Ignore Telnet Cmd Operations: ON Identify open data channels: YES Check for Encrypted Traffic: ON Continue to check encrypted data: NO HttpInspect Config: GLOBAL CONFIG Detect Proxy Usage: NO IIS Unicode Map Filename: (null) IIS Unicode Map Codepage: 1252 Memcap used for logging URI and Hostname: 150994944 Max Gzip Memory: 838860 Max Gzip sessions: 5825 Gzip Compress Depth: 65535 Gzip Decompress Depth: 65535 DEFAULT SERVER CONFIG: Server profile: All Server Flow Depth: 0 Client Flow Depth: 0 Max Chunk Length: 500000 Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Max Header Field Length: 750 Max Number Header Fields: 100 Max Number of WhiteSpaces allowed with header folding: 200 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Oversize Dir Length: 500 Only inspect URI: NO Normalize HTTP Headers: NO Inspect HTTP Cookies: YES Inspect HTTP Responses: YES Unlimited decompression of gzip data from responses: YES Normalize Javascripts in HTTP Responses: YES Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Normalize HTTP Cookies: NO Enable XFF and True Client IP: NO Extended ASCII code support in URI: NO Log HTTP URI data: NO Log HTTP Hostname data: NO Extract Gzip from responses: YES Ascii: OFF Double Decoding: OFF %U Encoding: ON Bare Byte: OFF UTF 8: OFF IIS Unicode: OFF Multiple Slash: OFF IIS Backslash: OFF Directory Traversal: OFF Web Root Traversal: OFF Apache WhiteSpace: OFF IIS Delimiter: OFF IIS Unicode Map: NOT CONFIGURED Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Whitespace Characters: 0x09 0x0b 0x0c 0x0d TELNET CONFIG: Are You There Threshold: -1 Normalize: NO Check for Encrypted Traffic: OFF Continue to check encrypted data: NO rpc_decode Portscan Detection Config: Detect Protocols: Detect Scan Type: Sensitivity Level: Memcap (in bytes): 1048576 Number of Nodes: 0 PerfMonitor config: Sample Time: 1 seconds Packet Count: 1 Max File Size: 2147483647 Base Stats: ACTIVE (SUMMARY) Base Stats File: INACTIVE Max Perf Stats: INACTIVE Flow Stats: INACTIVE (SUMMARY) Event Stats: INACTIVE (SUMMARY) Flow IP Stats: INACTIVE (SUMMARY) Console Mode: ACTIVE Binder -------------------------------------------------- pcap DAQ configured to passive. Commencing packet processing ++ [0] eno16777736 ----------------------------------ll /var/log/snort/----------------------------- [root@localhost ~]# ll /var/log/snort/ total 40 -rw-r--r--. 1 root root 0 Jan 14 02:05 barnyard2.waldo -rw-------. 1 root root 37516 Jan 15 23:18 log.pcap -rw-------. 1 root root 0 Jan 15 23:16 unified2log.u2.1421381779 -rw-------. 1 root root 0 Jan 16 01:11 unified2log.u2.1421388663 [root@localhost ~]# --------------------------------------------rules ------------------------------------- [root@localhost ~]# cat /etc/snort/rules/local.rules # Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------- # LOCAL RULES #------------- alert icmp any any -> any any (msg:"icmp"; itype:8; sid:100000; rev:1;) alert tcp any any -> any any (msg:"tcp"; sid:"1000001";) [root@localhost ~]# --------------------------------------------------------------------------- 블로그서명 시작했다면 끝을 보아라 자기소개를 입력하세요. 블로그서명시작했다면 끝을 보아라 자기소개를 입력하세요.
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc 박종일 (Jan 17)
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc 박종일 (Jan 17)
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc Russ Combs (rucombs) (Jan 18)
- Re: confirm 343ec785cc752e98b958383c9c38dfab4b0200dc 박종일 (Jan 17)