Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: need help

From: syazareen <syazareen () yahoo com>
Date: Thu, 25 Jun 2015 22:58:56 +0000 (UTC)
I want to test rule for ipv6 but i do not know how to write the rule in ipv6. have any suggestion for me? i'm using 
snort on windows.


     On Wednesday, June 24, 2015 9:01 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
   

 “ipv” isn’t a Snort rule option.
IPv6 is enabled by default in Snort.  There are no additional plugins needed.
--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com


On Jun 24, 2015, at 12:01 AM, syazareen <syazareen () yahoo com> wrote:
Greetings. I'm a student and doing project using Snort. I want to ask a question about Snort. I have installed Snort 
version 2.9.7.2 on Windows 8. I have tried to configure rules on Snort on IPv4 network and it is working. Now i want to 
use Snort on IPv6 network. I want to test the existing rules i found on internet but error appeared. the rule i have 
tried is as follow:
alert icmp any any -> any any ( itype :8; ipv: 6; \ msg :" ICMPv4 PING in v6 pkt "; sid :100001; rev :1;) 

The error states that unknown rule option ipv. What should i do? Below is my snort.conf.

 #--------------------------------------------------
#   VRT Rule Packages Snort.conf##   For more information visit us at:#     http://www.snort.org                   
Snort Website#     http://vrt-blog.snort.org/    Sourcefire VRT Blog##     Mailing list Contact:      snort-sigs () 
lists sourceforge net#     False Positive reports:    fp () sourcefire com#     Snort bugs:                bugs () 
snort org##     Compatible with Snort Versions:#     VERSIONS : 2.9.7.x##     Snort build options:#     OPTIONS : 
--enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib 
--enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3##     Additional 
information:#     This configuration file enables active response, to run snort in#     test mode -T you are required 
to supply an interface -i <interface>#     or test mode will fail to fully validate the configuration and#     exit 
with a FATAL error#--------------------------------------------------
#################################################### This file contains a sample snort configuration. # You should take 
the following steps to create your own custom configuration:##  1) Set the network variables.#  2) Configure the 
decoder#  3) Configure the base detection engine#  4) Configure dynamic loaded libraries#  5) Configure preprocessors#  
6) Configure output plugins#  7) Customize your rule set#  8) Customize preprocessor and decoder rule set#  9) 
Customize shared object rule set###################################################
#################################################### Step #1: Set the network variables.  For more information, see 
README.variables###################################################
# Setup the network addresses you are protectingipvar HOME_NET any
# Set up the external network addresses. Leave as "any" in most situationsipvar EXTERNAL_NET any
# List of DNS servers on your network var DNS_SERVERS $HOME_NET
# List of SMTP servers on your networkvar SMTP_SERVERS $HOME_NET
# List of web servers on your networkvar HTTP_SERVERS $HOME_NET
# List of sql servers on your network var SQL_SERVERS $HOME_NET
# List of telnet servers on your networkvar TELNET_SERVERS $HOME_NET
# List of ssh servers on your networkvar SSH_SERVERS $HOME_NET
# List of ftp servers on your networkvar FTP_SERVERS $HOME_NET
# List of sip servers on your networkvar SIP_SERVERS $HOME_NET
# List of ports you run web servers onportvar HTTP_PORTS 
[80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
# List of ports you want to look for SHELLCODE on.portvar SHELLCODE_PORTS !80
# List of ports you might see oracle attacks onportvar ORACLE_PORTS 1024:
# List of ports you want to look for SSH connections on:portvar SSH_PORTS 22
# List of ports you run ftp servers onportvar FTP_PORTS [21,2100,3535]
# List of ports you run SIP servers onportvar SIP_PORTS [5060,5061,5600]
# List of file data ports for file inspectionportvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
# List of GTP ports for GTP preprocessorportvar GTP_PORTS [2123,2152,3386]
# other variables, these should not be modifiedvar AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
# Path to your rules files (this can be a relative path)# Note for Windows users:  You are advised to make this an 
absolute path,# such as:  c:\snort\rulesvar RULE_PATH c:\Snort\rulesvar SO_RULE_PATH c:\Snort\so_rulesvar 
PREPROC_RULE_PATH c:\Snort\preproc_rules
# If you are using reputation preprocessor set these# Currently there is a bug with relative paths, they are relative 
to where snort is# not relative to snort.conf like the above variables# This is completely inconsistent with how other 
vars work, BUG 89986# Set the absolute path appropriatelyvar WHITE_LIST_PATH c:\Snort\rulesvar BLACK_LIST_PATH 
c:\Snort\rules
#################################################### Step #2: Configure the decoder.  For more information, see 
README.decode###################################################
# Stop generic decode events:config disable_decode_alerts
# Stop Alerts on experimental TCP optionsconfig disable_tcpopt_experimental_alerts
# Stop Alerts on obsolete TCP optionsconfig disable_tcpopt_obsolete_alerts
# Stop Alerts on T/TCP alertsconfig disable_tcpopt_ttcp_alerts
# Stop Alerts on all other TCPOption type events:config disable_tcpopt_alerts
# Stop Alerts on invalid ip optionsconfig disable_ipopt_alerts
# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet# config 
enable_decode_oversized_alerts
# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)# config 
enable_decode_oversized_drops
# Configure IP / TCP checksum modeconfig checksum_mode: all
# Configure maximum number of flowbit references.  For more information, see README.flowbits# config flowbits_size: 64
# Configure ports to ignore # config ignore_ports: tcp 21 6667:6671 1356# config ignore_ports: udp 1:17 53
# Configure active response for non inline operation. For more information, see REAMDE.active# config response: eth0 
attempts 2
# Configure DAQ related options for inline operation. For more information, see README.daq## config daq: <type># config 
daq_dir: <dir># config daq_mode: <mode># config daq_var: <var>## <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw# 
<mode> ::= read-file | passive | inline# <var> ::= arbitrary <name>=<value passed to DAQ# <dir> ::= path as to where to 
look for DAQ module so's
# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line 
options## config set_gid:# config set_uid:
# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README## config 
snaplen:#
# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command 
line options (-F)## config bpf_file:#
# Configure default log directory for snort to log to.  For more information see snort -h command line options 
(-l)#config logdir: c:\Snort\log

#################################################### Step #3: Configure the base detection engine.  For more 
information, see  README.decode###################################################
# Configure PCRE match limitationsconfig pcre_match_limit: 3500config pcre_match_limit_recursion: 1500
# Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Configconfig detection: 
search-method ac-split search-optimize max-pattern-len 20
# Configure the event queue.  For more information, see README.event_queueconfig event_queue: max_queue 8 log 5 
order_events content_length
##################################################### Configure GTP if it is to be used.## For more information, see 
README.GTP####################################################
# config enable_gtp
#################################################### Per packet and rule latency enforcement# For more information see 
README.ppm###################################################
# Per Packet latency configuration#config ppm: max-pkt-time 250, \#   fastpath-expensive-packets, \#   pkt-log
# Per Rule latency configuration#config ppm: max-rule-time 200, \#   threshold 3, \#   suspend-expensive-rules, \#   
suspend-timeout 20, \#   rule-log alert
#################################################### Configure Perf Profiling for debugging# For more information see 
README.PerfProfiling###################################################
#config profile_rules: print all, sort avg_ticks#config profile_preprocs: print all, sort avg_ticks
#################################################### Configure protocol aware flushing# For more information see 
README.stream5###################################################config paf_max: 16000
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



  
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: