Re: snort new ruleset and vision rules

[Michael Boman <michael () ayeka dyndns org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 25 August 2001 00:28, Liam burke wrote:
> My apologies - I am using snort 1.8.1
>
> heres the output you wanted:
>
> Thanks guys,
> LB
>
>
> [root@engarde etc]# /var/chroot/snort/sbin/snort -T -c
> /var/chroot/snort/etc/snort.conf -l /var/chroot/snort/log
> Log directory = /var/chroot/snort/log
>
>         --== Initializing Snort ==--
> Checking PID path...
> PATH_VARRUN is set to /var/run/ on this operating system
>
> Initializing Network Interface eth0
> Kernel filter, protocol ALL, raw packet socket
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /var/chroot/snort/etc/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
>
> *WARNING*: unknown output plugin "trap_snmp", ignoring!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ERROR vision18.rules:1 => Port value missing in rule!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This can be caused by the unset variables INTERNAL and EXTERNAL used in 
vision18.rules - see below.

> Fatal Error, Quitting..
>
> and....
>
> [root@engarde etc]# cat /var/chroot/snort/etc/snort.conf | grep -v ^# |
> grep -v ^$
> var HOME_NET $eth0_ADDRESS
> var EXTERNAL_NET any

the vision rules uses INTERNAL and EXTERNAL instead of HOME_NET and 
EXTERNAL_NET so add:

var INTERNAL $HOME_NET
var EXTERNAL $EXTERNAL_NET

> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
>
> var DNS_SERVERS 172.20.1.1/32 50.0.0.0/8 172.20.128.2/32 172.20.128.61/32
> 172.20.128.62/32

You can't have spaces the in this list, use:

var DNS_SERVERS 
[172.20.1.1/32,50.0.0.0/8,172.20.128.2/32,172.20.128.61/32,172.20.128.62/32]

> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 8080 -unicode -cginull
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 5 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS 5.1.1.0/24 6.1.1.0/24
> output alert_syslog: LOG_AUTH LOG_ALERT
> output trap_snmp: alert, 7, trap -v 2c -p 162  172.20.128.65 public

Accoring to your 'snort -T' output you are missing the snmp alert facility 
(or just spelled this wrong - someone else, please take a look - I don't use 
SNMP alerting)

[snip]

Best regards
 Michael Boman

- -- 
There is no such thing as a system that is secure out of the box.
Tim [Timothy M. Mullen, CIO of AnchorIS.Com] claimed earlier this
morning that he had found one at WalMart the other day that was
secure out of the box, but as it turns out that was a Nintendo.

- -- Jesper M Johansson, Ph.D. Assistant Professor of Information
   Systems at Boston University - during a SANS audio broadcast
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7hxJUjD4u/xp0yJcRAo0iAJ9Jrd4vklswBgWUBzC/rh1I2xwQnwCdHiJn
NpUYvFNXcfUhi/Kn6G5CD50=
=JUYX
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users