snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Error getting during snort instal

Re: [Snort-users] Error getting during snort installation steps on windows (Not able to run snortstart.bat file)

From: Joel Esler <jesler_at_nospam>
Date: Wed May 20 2009 - 12:40:23 GMT
To: Sadanand Ghagare <sadanandgh@gmail.com>


Sadanand,

That's the successful completion start up lines. I see no errors there. I see nothing to indicate that you *should* be receiving alerts in Kiwi, as you don't have the syslog output enabled. Try configuring that, and restarting Snort.

Joel

On Wed, May 20, 2009 at 7:05 AM, Sadanand Ghagare <sadanandgh@gmail.com>wrote:

> Hi
>
> I followed steps to install snort on windows 2003 standard edition. For
> this, I used method of installing snort on win xp.
> After installation, when I tried to run snortstart.bat file as per steps
> 12, it got stuck on following prompt and I cant see snort piggy as well not
> I am getting any output in Kiwi.
>
> --== Initialization Complete ==--
>
> ,,_ -*> Snort! <*-
> o" )~ Version 2.8.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 26)
> '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> Copyright (C) 1998-2009 Sourcefire, Inc., et al.
> Using PCRE version: 7.4 2007-09-21
>
> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.10 <Build
> 16>
> Preprocessor Object: SF_SSLPP Version 1.1 <Build 2>
> Preprocessor Object: SF_SSH Version 1.1 <Build 1>
> Preprocessor Object: SF_SMTP Version 1.1 <Build 7>
> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 11>
> Preprocessor Object: SF_DNS Version 1.1 <Build 2>
> Preprocessor Object: SF_DCERPC Version 1.1 <Build 4>
> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 1>
> Not Using PCAP_FRAMES
>
> ===================================
>
> Here is my snortstart.conf file:
>
> c:\snort\bin\snort -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
>
> ================================
>
> Here is my snort.conf file:
>
> #VERSION:284
> #--------------------------------------------------
> # http://www.snort.org Snort current Ruleset
> # Contact: snort-sigs@lists.sourceforge.net
> #--------------------------------------------------
> # $Id: snort.conf,v 1.183.4.6 2009/04/08 21:40:16 mwatchinski Exp $
> #
> ###################################################
> # This file contains a sample snort configuration.
> # You can take the following steps to create your own custom configuration:
> #
> # 1) Set the variables for your network
> # 2) Configure dynamic loaded libraries
> # 3) Configure preprocessors
> # 4) Configure output plugins
> # 5) Add any runtime config directives
> # 6) Customize your rule set
> #
> ###################################################
> # Step #1: Set the network variables:
> #
> # You must change the following variables to reflect your local network.
> The
> # variable is currently setup for an RFC 1918 address space.
> #
> # You can specify it explicitly as:
> #
> # var HOME_NET 10.1.1.0/24
> #
> # or use global variable $<interfacename>_ADDRESS which will be always
> # initialized to IP address and netmask of the network interface which you
> run
> # snort at. Under Windows, this must be specified as
> # $(<interfacename>_ADDRESS), such as:
> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> #
> # var HOME_NET $eth0_ADDRESS
> #
> # You can specify lists of IP addresses for HOME_NET
> # by separating the IPs with commas like this:
> #
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> #
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> #
> # or you can specify the variable to be any IP address
> # like this:
>
> # Set up network addresses you are protecting. A simple start might be
> RFC1918
> var HOME_NET any
>
> # Set up the external network addresses as well. A good start may be "any"
> var EXTERNAL_NET any
>
> # Configure your server lists. This allows snort to only look for attacks
> to
> # systems that have a service up. Why look for HTTP attacks if you are not
> # running a web server? This allows quick filtering based on IP addresses
> # These configurations MUST follow the same configuration scheme as defined
> # above for $HOME_NET.
>
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
>
> # List of snmp servers on your network
> var SNMP_SERVERS $HOME_NET
>
> # List of ftp servers on your network
> var FTP_SERVERS $HOME_NET
>
> # List of ssh servers on your network
> var SSH_SERVERS $HOME_NET
>
> # List of pop2/3 servers on your network
> var POP_SERVERS $HOME_NET
>
> # List of imap servers on your network
> var IMAP_SERVERS $HOME_NET
>
> # List of SunRPC servers on your network
> var RPC_SERVERS $HOME_NET
>
> # List of web servers on your network
> var WWW_SERVERS $HOME_NET
>
> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
> # modifying the signatures when they do, we add them to this list of
> servers.
> var AIM_SERVERS [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
>
>
> # Configure your service ports. This allows snort to look for attacks
> destined
> # to a specific application only on the ports that application runs on.
> For
> # example, if you run a web server on port 8081, set your HTTP_PORTS
> variable
> # like this:
> #
> # var HTTP_PORTS 8081
> #
> # Port lists must either be continuous [eg 80:8080], or a single port [eg
> 80].
> # We will adding support for a real list of ports in the future.
>
> # Ports you run web servers on
> #
> # Please note: [80,8080] does not work.
> # If you wish to define multiple HTTP ports, use the following convention
> # when customizing your rule set (as part of Step #6 below). This should
> # not be done here, as the rules files may depend on the classifications
> # and/or references, which are included below.
> #
> ## var HTTP_PORTS 80
> ## include somefile.rules
> ## var HTTP_PORTS 8080
> ## include somefile.rules
>
> # HTTP Ports on your network
> portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
>
> # Ports you want to look for SHELLCODE on.
> portvar SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> portvar ORACLE_PORTS 1521
>
> # Auth / ident
> portvar AUTH_PORTS 113
>
> # DNS
> portvar DNS_PORTS 53
>
> # Finger
> portvar FINGER_PORTS 79
>
> # Ftp
> portvar FTP_PORTS 21
>
> # Imap
> portvar IMAP_PORTS 143
>
> # IRC
> portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
>
> # MS-SQL
> portvar MSSQL_PORTS 1433
>
> # NNTP
> portvar NNTP_PORTS 119
>
> # POP2
> portvar POP2_PORTS 109
>
> # POP3
> portvar POP3_PORTS 110
>
> # PortMapper
> portvar SUNRPC_PORTS
> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
>
> # rlogin
> portvar RLOGIN_PORTS 513
>
> # rsh
> portvar RSH_PORTS 514
>
> # smb
> portvar SMB_PORTS [139,445]
>
> # smtp
> portvar SMTP_PORTS 25
>
> # snmp
> portvar SNMP_PORTS 161
>
> # ssh
> portvar SSH_PORTS 22
>
> # telnet
> portvar TELNET_PORTS 23
>
> # mail this for compatability with versions of snort that support port
> lists
> portvar MAIL_PORTS [25,143,465,691]
>
> # SSL Ports
> portvar SSL_PORTS [25,443,465,636,993,995]
>
> # DCERPC NCACN-IP-TCP
> portvar DCERPC_NCACN_IP_TCP [139,445]
> portvar DCERPC_NCADG_IP_UDP [138,1024:]
> portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
> portvar DCERPC_NCACN_UDP_LONG [135,1024:]
> portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
> portvar DCERPC_NCACN_TCP [2103,2105,2107]
> portvar DCERPC_BRIGHTSTORE [6503,6504]
>
> # Path to your rules files (this can be a relative path)
> # Note for Windows users: You are advised to make this an absolute path,
> # such as: c:\snort\rules
> var RULE_PATH C:\snort\rules
>
> # Configure the snort decoder
> # ============================
> #
> # Snort's decoder will alert on lots of things such as header
> # truncation or options of unusual length or infrequently used tcp options
> #
> #
> # Stop generic decode events:
> #
> # config disable_decode_alerts
> #
> # Stop Alerts on experimental TCP options
> #
> # config disable_tcpopt_experimental_alerts
> #
> # Stop Alerts on obsolete TCP options
> #
> # config disable_tcpopt_obsolete_alerts
> #
> # Stop Alerts on T/TCP alerts
> #
> # In snort 2.0.1 and above, this only alerts when a TCP option is detected
> # that shows T/TCP being actively used on the network. If this is normal
> # behavior for your network, disable the next option.
> #
> # config disable_tcpopt_ttcp_alerts
> #
> # Stop Alerts on all other TCPOption type events:
> #
> # config disable_tcpopt_alerts
> #
> # Stop Alerts on invalid ip options
> #
> # config disable_ipopt_alerts
> #
> # Alert if value in length field (IP, TCP, UDP) is greater than the
> # actual length of the captured portion of the packet that the length
> # is supposed to represent:
> #
> # config enable_decode_oversized_alerts
> #
> # Same as above, but drop packet if in Inline mode -
> # enable_decode_oversized_alerts must be enabled for this to work:
> #
> # config enable_decode_oversized_drops
> #
> config checksum_mode: all
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
> config disable_decode_drops
>
> # Configure the detection engine
> # ===============================
> #
> # Use a different pattern matcher in case you have a machine with very
> limited
> # resources:
> #
> # config detection: search-method lowmem
>
> config detection: search-method ac-bnfa
> config detection: max_queue_events 5
> config event_queue: max_queue 8 log 3 order_events content_length
>
> # Configure Inline Resets
> # ========================
> #
> # If running an iptables firewall with snort in InlineMode() we can now
> # perform resets via a physical device. We grab the indev from iptables
> # and use this for the interface on which to send resets. This config
> # option takes an argument for the src mac address you want to use in the
> # reset packet. This way the bridge can remain stealthy. If the src mac
> # option is not set we use the mac address of the indev device. If we
> # don't set this option we will default to sending resets via raw socket,
> # which needs an ipaddress to be assigned to the int.
> #
> # config layer2resets: 00:06:76:DD:5F:E3
>
> ###################################################
> # Step #2: Configure dynamic loaded libraries
> #
> # If snort was configured to use dynamically loaded libraries,
> # those libraries can be loaded here.
> #
> # Each of the following configuration options can be done via
> # the command line as well.
> #
> # Load all dynamic preprocessors from the install path
> # (same as command line option --dynamic-preprocessor-lib-dir)
> #
> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
> dynamicpreprocessor file
> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
> dynamicpreprocessor file
> C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
> dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
>
> # Comment out above and uncomment this if running OSX
> #
> #dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.dylib
> #dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
> #dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
> #dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
> #dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
> #dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.dylib
>
> #
> # Load a specific dynamic preprocessor library from the install path
> # (same as command line option --dynamic-preprocessor-lib)
> #
> # dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
> #
> # Load a dynamic engine from the install path
> # (same as command line option --dynamic-engine-lib)
> #
> dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
> #
> # Load all dynamic rules libraries from the install path
> # (same as command line option --dynamic-detection-lib-dir)
> #
> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
> #
> # Load a specific dynamic rule library from the install path
> # (same as command line option --dynamic-detection-lib)
> #
> # Rule packages from the VRT contain a so_rules directory that contains
> these rules
> # you need to compile them using the makefile in the rules package and
> place
> # them here and add them.
> #
>
> # Uncomment if you are using the default VRT SO rules and have them in this
> directory.
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/bad-traffic.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/chat.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/imap.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/multimedia.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/nntp.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/smtp.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/sql.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-misc.so
>
>
> ###################################################
> # Step #3: Configure preprocessors
> #
> # General configuration for preprocessors is of
> # the form
> # preprocessor <name_of_processor>: <configuration_options>
>
> # frag3: Target-based IP defragmentation
> # --------------------------------------
> #
> # Frag3 is a brand new IP defragmentation preprocessor that is capable of
> # performing "target-based" processing of IP fragments. Check out the
> # README.frag3 file in the doc directory for more background and
> configuration
> # information.
> #
> # Frag3 configuration is a two step process, a global initialization phase
> # followed by the definition of a set of defragmentation engines.
> #
> # Global configuration defines the number of fragmented packets that Snort
> can
> # track at the same time and gives you options regarding the memory cap for
> the
> # subsystem or, optionally, allows you to preallocate all the memory for
> the
> # entire frag3 system.
> #
> # frag3_global options:
> # max_frags: Maximum number of frag trackers that may be active at once.
>
> # Default value is 8192.
> # memcap: Maximum amount of memory that frag3 may access at any given
> time.
> # Default value is 4MB.
> # prealloc_frags: Maximum number of individual fragments that may be
> processed
> # at once. This is instead of the memcap system, uses
> static
> # allocation to increase performance. No default value.
> Each
> # preallocated fragment eats ~1550 bytes.
> #
> # Target-based behavior is attached to an engine as a "policy" for handling
>
> # overlaps and retransmissions as enumerated in the Paxson paper. There
> are
> # currently five policy types available: "BSD", "BSD-right", "First",
> "Linux"
> # and "Last". Engines can be bound to standard Snort CIDR blocks or
> # IP lists.
> #
> # frag3_engine options:
> # timeout: Amount of time a fragmented packet may be active before
> expiring.
> # Default value is 60 seconds.
> # ttl_limit: Limit of delta allowable for TTLs of packets in the
> fragments.
> # Based on the initial received fragment TTL.
> # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below
> this
> # value will be discarded. Default value is 0.
> # detect_anomalies: Activates frag3's anomaly detection mechanisms.
> # policy: Target-based policy to assign to this engine. Default is
> Windows.
> # bind_to: IP address set to bind this engine to. Default is all hosts.
> #
> # Frag3 configuration example:
> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
> #preprocessor frag3_engine: policy linux \
> # bind_to [10.1.1.12/32,10.1.1.13/32] \
> # detect_anomalies
> #preprocessor frag3_engine: policy first \
> # bind_to 10.2.1.0/24 \
> # detect_anomalies
> #preprocessor frag3_engine: policy last \
> # bind_to 10.3.1.0/24
> #preprocessor frag3_engine: policy bsd
>
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy windows timeout 180
>
> # stream5: Target Based stateful inspection/stream reassembly for Snort
> # ---------------------------------------------------------------------
> # Stream5 is a target-based stream engine for Snort. Its functionality
> # replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
> # cannot be used simultaneously. Comment out the stream4 configurations
> # above to use Stream5.
> #
> # See README.stream5 for details on the configuration options.
> #
> # Example config (that emulates Stream4 with UDP support compiled in)
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> track_udp yes
> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
> ports client 21 23 25 42 53 80 135 136 137 139
> 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180
> 8888, \
> ports both 443 465 563 636 989 992 993 994 995
> preprocessor stream5_udp: ignore_any_rules
>
>
> # Performance Statistics
> # ----------------------
> # Documentation for this is provided in the Snort Manual. You should read
> it.
> # It is included in the release distribution as doc/snort_manual.pdf
> #
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> 10000
>
> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
> #
> # lots of options available here. See doc/README.http_inspect.
> # unicode.map should be wherever your snort.conf lives, or given
> # a full path to where snort can find it.
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: \
> server default \
> apache_whitespace no \
> ascii no \
> bare_byte no \
> chunk_length 500000 \
> flow_depth 1460 \
> directory no \
> double_decode no \
> iis_backslash no \
> iis_delimiter no \
> iis_unicode no \
> multi_slash no \
> non_strict \
> oversize_dir_length 500 \
> ports { 80 2301 3128 8000 8080 8180 8888 } \
> u_encode yes \
> non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
> webroot no
>
> #
> # Example unique server configuration
> #
> #preprocessor http_inspect_server: server 1.1.1.1 \
> # ports { 80 3128 8080 } \
> # flow_depth 0 \
> # ascii no \
> # double_decode yes \
> # non_rfc_char { 0x00 } \
> # chunk_length 500000 \
> # non_strict \
> # oversize_dir_length 300 \
> # no_alerts
>
>
> # rpc_decode: normalize RPC traffic
> # ---------------------------------
> # RPC may be sent in alternate encodings besides the usual 4-byte encoding
> # that is used by default. This plugin takes the port numbers that RPC
> # services are running on as arguments - it is assumed that the given ports
> # are actually running this type of service. If not, change the ports or
> turn
> # it off.
> # The RPC decode preprocessor uses generator ID 106
> #
> # arguments: space separated list
> # alert_fragments - alert on any rpc fragmented TCP data
> # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
> # no_alert_large_fragments - don't alert when the fragmented
> # sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> # exceeds the current packet size
>
> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776
> 32777 32778 32779
>
> # bo: Back Orifice detector
> # -------------------------
> # Detects Back Orifice traffic on the network.
> #
> # arguments:
> # syntax:
> # preprocessor bo: noalert { client | server | general | snort_attack }
> \
> # drop { client | server | general | snort_attack }
> # example:
> # preprocessor bo: noalert { general server } drop { snort_attack }
>
> #
> # The Back Orifice detector uses Generator ID 105 and uses the
> # following SIDS for that GID:
> # SID Event description
> # ----- -------------------
> # 1 Back Orifice traffic detected
> # 2 Back Orifice Client Traffic Detected
> # 3 Back Orifice Server Traffic Detected
> # 4 Back Orifice Snort Buffer Attack
>
> preprocessor bo
>
> # telnet_decode: Telnet negotiation string normalizer
> # ---------------------------------------------------
> # This preprocessor "normalizes" telnet negotiation strings from telnet and
> ftp
> # traffic. It works in much the same way as the http_decode preprocessor,
> # searching for traffic that breaks up the normal data stream of a protocol
> and
> # replacing it with a normalized representation of that traffic so that the
> # "content" pattern matching keyword can work without requiring
> modifications.
> # This preprocessor requires no arguments.
> #
> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
> #preprocessor telnet_decode
> #
> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
> overflow
> #
> ---------------------------------------------------------------------------
> # This preprocessor normalizes telnet negotiation strings from telnet and
> # ftp traffic. It looks for traffic that breaks the normal data stream
> # of the protocol, replacing it with a normalized representation of that
> # traffic so that the "content" pattern matching keyword can work without
> # requiring modifications.
> #
> # It also performs protocol correctness checks for the FTP command channel,
> # and identifies open FTP data transfers.
> #
> # FTPTelnet has numerous options available, please read
> # README.ftptelnet for help configuring the options for the global
> # telnet, ftp server, and ftp client sections for the protocol.
>
> #####
> # Per Step #2, set the following to load the ftptelnet preprocessor
> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
> preprocessor ftp_telnet: \
> global \
> encrypted_traffic yes \
> check_encrypted \
> inspection_type stateful
>
> preprocessor ftp_telnet_protocol: \
> telnet \
> ayt_attack_thresh 20 \
> normalize ports { 23 } \
> detect_anomalies
>
> preprocessor ftp_telnet_protocol: \
> ftp server default \
> def_max_param_len 100 \
> ports { 21 2100 } \
> ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU
> MODE } \
> ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD
> PWD } \
> ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
> ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
> ftp_cmds { FEAT OPTS CEL CMD MACB } \
> ftp_cmds { MDTM REST SIZE MLST MLSD } \
> ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
> alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
> alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST
> TEST STAT MACB EPSV CLNT LPRT } \
> alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR
> HELP } \
> alt_max_param_len 256 { RNTO CWD } \
> alt_max_param_len 400 { PORT } \
> alt_max_param_len 512 { SIZE } \
> chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
> chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
> chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
> chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
> chk_str_fmt { FEAT OPTS CEL CMD } \
> chk_str_fmt { MDTM REST SIZE MLST MLSD } \
> chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
> cmd_validity MODE < char ASBCZ > \
> cmd_validity STRU < char FRP > \
> cmd_validity ALLO < int [ char R int ] > \
> cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ]
> } > \
> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> cmd_validity PORT < host_port >
>
> preprocessor ftp_telnet_protocol: \
> ftp client default \
> max_resp_len 200 \
> bounce yes \
> telnet_cmds no
>
> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
> #
> ---------------------------------------------------------------------------
> # This preprocessor normalizes SMTP commands by removing extraneous spaces.
> # It looks for overly long command lines, response lines, and data header
> lines.
> # It can alert on invalid commands, or specific valid commands. It can
> optionally
> # ignore mail data, and can ignore TLS encrypted data.
> #
> # SMTP has numerous options available, please read README.SMTP for help
> # configuring options.
>
> #####
> # Per Step #2, set the following to load the smtp preprocessor
> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>
> preprocessor SMTP: \
> ports { 25 465 691 } \
> inspection_type stateful \
> normalize cmds \
> valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT
> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME
> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA
> XTRN XUSR } \
> normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT
> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN
> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME
> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA
> XTRN XUSR } \
> max_header_line_len 1000 \
> max_response_line_len 512 \
> alt_max_command_line_len 260 { MAIL } \
> alt_max_command_line_len 300 { RCPT } \
> alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
> alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM
> ESND ESOM EVFY IDENT NOOP RSET } \
> alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING
> CHUNKING DATA DSN RSET QUIT ONEX } \
> alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB
> X-EXPS X-LINK2STATE XADR } \
> alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
> XSTA XTRN XUSR } \
> xlink2state { enable }
>
> # sfPortscan
> # ----------
> # Portscan detection module. Detects various types of portscans and
> # portsweeps. For more information on detection philosophy, alert types,
> # and detailed portscan information, please refer to the README.sfportscan.
> #
> # -configuration options-
> # proto { tcp udp icmp ip all }
> # The arguments to the proto option are the types of protocol scans
> that
> # the user wants to detect. Arguments should be separated by spaces
> and
> # not commas.
> # scan_type { portscan portsweep decoy_portscan distributed_portscan
> all }
> # The arguments to the scan_type option are the scan types that the
> # user wants to detect. Arguments should be separated by spaces and
> not
> # commas.
> # sense_level { low|medium|high }
> # There is only one argument to this option and it is the level of
> # sensitivity in which to detect portscans. The 'low' sensitivity
> # detects scans by the common method of looking for response errors,
> such
> # as TCP RSTs or ICMP unreachables. This level requires the least
> # tuning. The 'medium' sensitivity level detects portscans and
> # filtered portscans (portscans that receive no response). This
> # sensitivity level usually requires tuning out scan events from
> NATed
> # IPs, DNS cache servers, etc. The 'high' sensitivity level has
> # lower thresholds for portscan detection and a longer time window
> than
> # the 'medium' sensitivity level. Requires more tuning and may be
> noisy
> # on very active networks. However, this sensitivity levels catches
> the
> # most scans.
> # memcap { positive integer }
> # The maximum number of bytes to allocate for portscan detection.
> The
> # higher this number the more nodes that can be tracked.
> # logfile { filename }
> # This option specifies the file to log portscan and detailed
> portscan
> # values to. If there is not a leading /, then snort logs to the
> # configured log directory. Refer to README.sfportscan for details
> on
> # the logged values in the logfile.
> # watch_ip { Snort IP List }
> # ignore_scanners { Snort IP List }
> # ignore_scanned { Snort IP List }
> # These options take a snort IP list as the argument. The 'watch_ip'
> # option specifies the IP(s) to watch for portscan. The
> # 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
> # Note that these hosts are still watched as scanned hosts. The
> # 'ignore_scanners' option is used to tune alerts from very active
> # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
> # specifies the IP(s) to ignore as scanned hosts. Note that these
> hosts
> # are still watched as scanner hosts. The 'ignore_scanned' option is
> # used to tune alerts from very active hosts such as syslog servers,
> etc.
> # detect_ack_scans
> # This option will include sessions picked up in midstream by the
> stream
> # module, which is necessary to detect ACK scans. However, this can
> lead to
> # false alerts, especially under heavy load with dropped packets;
> which is why
> # the option is off by default.
> #
> # Disabled by default
> #
> # preprocessor sfportscan: proto { all } \
> # memcap { 10000000 } \
> # sense_level { low }
>
> # arpspoof
> #----------------------------------------
> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
> # unicast ARP requests, and specific ARP mapping monitoring. To make use
> of
> # this preprocessor you must specify the IP and hardware address of hosts
> on
> # the same layer 2 segment as you. Specify one host IP MAC combo per line.
> # Also takes a "-unicast" option to turn on unicast ARP request detection.
> # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
>
> # SID Event description
> # ----- -------------------
> # 1 Unicast ARP request
> # 2 Etherframe ARP mismatch (src)
> # 3 Etherframe ARP mismatch (dst)
> # 4 ARP cache overwrite attack
>
> #preprocessor arpspoof
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
> # ssh
> #----------------------------------------
> # EXPERIMENTAL CODE!!!
> #
> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
> # USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
> # YOU HAVE BEEN WARNED.
> #
> # The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
> # Secure CRT, and the Protocol Mismatch exploit.
> #
> # Both Gobbles and CRC 32 attacks occur after the key exchange, and are
> # therefore encrypted. Both attacks involve sending a large payload
> # (20kb+) to the server immediately after the authentication challenge.
> # To detect the attacks, the SSH preprocessor counts the number of bytes
> # transmitted to the server. If those bytes exceed a pre-defined limit
> # within a pre-define number of packets, an alert is generated. Since
> # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
> # version string exchange is used to distinguish the attacks.
> #
> # The Secure CRT and protocol mismatch exploits are observable before
> # the key exchange.
> #
> # SSH has numerous options available, please read README.ssh for help
> # configuring options.
>
> #####
> # Per Step #2, set the following to load the ssh preprocessor
> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
> #
> #preprocessor ssh: server_ports { 22 } \
> # max_client_bytes 19600 \
> # max_encrypted_packets 20 \
> # disable_srvoverflow \
> # disable_protomismatch \
> # disable_badmsgdir
>
> #UPDATE HERE MEW#
> #----------------------------------------
> # SSL Preprocessor configuration
> #
> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 },
> trustservers, noinspect_encrypted
>
> # DCE/RPC
> #----------------------------------------
> #
> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
> # It is primarily interested in DCE/RPC data, and only decodes SMB
> # to get at the DCE/RPC data carried by the SMB layer.
> #
> # Currently, the preprocessor only handles reassembly of fragmentation
> # at both the SMB and DCE/RPC layer. Snort rules can be evaded by
> # using both types of fragmentation; with the preprocessor enabled
> # the rules are given a buffer with a reassembled SMB or DCE/RPC
> # packet to examine.
> #
> # At the SMB layer, only fragmentation using WriteAndX is currently
> # reassembled. Other methods will be handled in future versions of
> # the preprocessor.
> #
> # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
> # the SMB data, as well as checking the NetBIOS header (which is always
> # present for SMB) for the type "SMB Session".
> #
> # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
> # checked in the packet. Assuming that the data is a DCE/RPC header,
> # one byte is checked for DCE/RPC version (5) and another for the type
> # "DCE/RPC Request". If both match, the preprocessor proceeds with that
> # assumption that it is looking at DCE/RPC data. If subsequent checks
> # are nonsensical, it ends processing.
> #
> # DCERPC has numerous options available, please read README.dcerpc for help
> # configuring options.
>
> #####
> # Per Step #2, set the following to load the dcerpc preprocessor
> # dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>
> preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
> preprocessor dcerpc2_server: default, policy WinXP, \
> detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
> autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
> smb_max_chain 3
>
> # DNS
> #----------------------------------------
> # The dns preprocessor (currently) decodes DNS Response traffic
> # and detects a few vulnerabilities.
> #
> # DNS has a few options available, please read README.dns for
> # help configuring options.
>
> #####
> # Per Step #2, set the following to load the dns preprocessor
> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>
> preprocessor dns: ports { 53 } enable_rdata_overflow
>
> ####################################################################
> # Step #4: Configure output plugins
> #
> # Uncomment and configure the output plugins you decide to use. General
> # configuration for output plugins is of the form:
> #
> # output <name_of_plugin>: <configuration_options>
> #
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments. Win32 can also
> optionally
> # specify a particular hostname/port. Under Win32, the default hostname is
> # '127.0.0.1', and the default port is 514.
> #
> # [Unix flavours should use this format...]
> # output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
> #
> # [Win32 can use any of these formats...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: tcpdump.log
>
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring
> # and using this plugin.
> #
> # output database: log, mysql, user=root password=test dbname=db
> host=localhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, odbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
> # output database: log, oracle, dbname=snort user=snort password=test
>
> # unified: Snort unified binary format alerting and logging
> # -------------------------------------------------------------
> # The unified output plugin provides two new formats for logging and
> generating
> # alerts from Snort, the "unified" format. The unified format is a
> straight
> # binary format for logging data out of Snort that is designed to be fast
> and
> # efficient. Used with barnyard (the new alert/log processor), most of the
> # overhead for logging and alerting to various slow storage mechanisms such
> as
> # databases or the network can now be avoided.
> #
> # Check out the spo_unified.h file for the data formats.
> #
> # Two arguments are supported.
> # filename - base filename to write to (current time_t is appended)
> # limit - maximum size of spool file in MB (default: 128)
> #
> # output alert_unified: filename snort.alert, limit 128
> # output log_unified: filename snort.log, limit 128
>
>
> # prelude: log to the Prelude Hybrid IDS system
> # ---------------------------------------------
> #
> # profile = Name of the Prelude profile to use (default is snort).
> #
> # Snort priority to IDMEF severity mappings:
> # high < medium < low < info
> #
> # These are the default mapped from classification.config:
> # info = 4
> # low = 3
> # medium = 2
> # high = anything below medium
> #
> # output alert_prelude
> # output alert_prelude: profile=snort-profile-name
>
>
> #
> # Include classification & priority settings
> # Note for Windows users: You are advised to make this an absolute path,
> # such as: c:\snort\etc\classification.config
> #
>
> include classification.config
>
> #
> # Include reference systems
> # Note for Windows users: You are advised to make this an absolute path,
> # such as: c:\snort\etc\reference.config
> #
>
> include reference.config
>
> ####################################################################
> # Step #5: Configure snort with config statements
> #
> # See the snort manual for a full set of configuration references
> #
> # config flowbits_size: 64
> #
> # New global ignore_ports config option from Andy Mullican
> #
> # config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
> # config ignore_ports: tcp 21 6667:6671 1356
> # config ignore_ports: udp 1:17 53
>
>
> ####################################################################
> # Step #6: Customize your rule set
> #
> # Up to date snort rules are available at http://www.snort.org
> #
> # The snort web site has documentation about how to write your own custom
> snort
> # rules.
>
> #=========================================
> # Include all relevant rulesets here
> #
> # The following rulesets are disabled by default:
> #
> # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
> # chat, multimedia, and p2p
> #
> # These rules are either site policy specific or require tuning in order to
> not
> # generate false positive alerts in most enviornments.
> #
> # Please read the specific include file for more information and
> # README.alert_order for how rule ordering affects how alerts are
> triggered.
> #=========================================
>
> include $RULE_PATH/local.rules
> # include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> # include $RULE_PATH/scan.rules
> # include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> # include $RULE_PATH/tftp.rules
>
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> # include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> # include $RULE_PATH/snmp.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> # include $RULE_PATH/other-ids.rules
> # include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/virus.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/specific-threats.rules
> # include $RULE_PATH/experimental.rules
> # include $RULE_PATH/content-replace.rules
> include $RULE_PATH/voip.rules
>
> # If your using the so rules you need to do something like the following
> # cd into the so_rules directory where you built the so rules
> # cat *.rules >> so-rules.rules
> # cp to $RULE_PATH/so-rules.rules
> # uncomment this line
> # include $RULE_PATH/so-rules.rules
>
> # Include any thresholding or suppression commands. See threshold.conf in
> the
> # <snort src>/etc directory for details. Commands don't necessarily need to
> be
> # contained in this conf, but a separate conf makes it easier to maintain
> them.
> # Note for Windows users: You are advised to make this an absolute path,
> # such as: c:\snort\etc\threshold.conf
> # Uncomment if needed.
> # include threshold.conf
>
> =================================================
>
>
> --
>
>
> Thanks & Regards
>
> Sadanand G.
>
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables
> unlimited royalty-free distribution of the report engine
> for externally facing server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-- joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974

------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users