Snort mailing list archives
Re: flags
From: James Ashton <admin () gitflorida com>
Date: Sun, 09 Jun 2002 01:26:54 -0400
Here is snort.conf I am building a new, faster box to run on this network. I am basicaly learning with this one. I had hopoed that the 266 would cover a network that doesnt see much traffic, like this one. I have also cut a few rules out of some of the rules files. maybe 4 or 5 total. nothing that makes a noticable differance. Just top get rid of alerts I was not worried about that cluttered up the database. James Ashton ################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $<interfacename>_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET [216.199.160.0/24,216.199.161.0/24,216.199.162.0/24,216.199.163.0/2 4,216.199.164.0/24,216.199.165.0/24] # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET any # Set up your SMTP servers, or simply configure them # to HOME_NET var SMTP $HOME_NET # Set up your web servers, or simply configure them # to HOME_NET var HTTP_SERVERS $HOME_NET # Set up your sql servers, or simply configure them # to HOME_NET var SQL_SERVERS $HOME_NET # Define the addresses of DNS servers and other hosts # if you want to ignore portscan false alarms from them... var DNS_SERVERS [216.199.160.3,216.199.160.2] ################################################### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor <name_of_processor>: <configuration_options> # minfrag: detect small fragments # ------------------------------- # minfrag has been deprecated as of build 26 # defrag: defragmentation support # ------------------------------- # IP defragmentation support from Dragos Ruiu. There # are no configuration options at this time. #preprocessor defrag preprocessor frag2: timeout 15 # stream2: TCP stream reassembly # ------------------------------------- # TCP stream reassembly preprocessor from Chris Cramer. # This preprocessor should always go after the defrag # preprocessor, but before application layer decoders. # The example below monitors ports 23 and 80, has a # timeout after 10 seconds, and will send reassembled # packets of max payload 16384 bytes through the # detection engine. See README.tcpstream for more # information and configuration options. Uncomment # the following line and configure appropriately to # enable this preprocessor. # # NOTE: This code should still be considered BETA! # It seems to be stable, but there are still some # issues that remain to be resolved, so make sure you # keep an eye on your Snort sensor if you enable this plugin # The older version which definitely had issues w/ packet # loss is still in the code base, to use it in place of the # new version, use "preprocessor stream: ..." #preprocessor stream2: timeout 23, ports 21 23 80 110 143, maxbytes 16384 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8MB) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # keepstats [machine] - keep session statistics, add "machine" to get them in # a flat format for machine reading # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes preprocessor stream4: detect_scan, timeout 15, memcap 17572864 # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble both, ports [21, 23, 25, 53, 80, 143, 110, 111, 513] # http_decode: normalize HTTP requests # ------------------------------------ # http_decode normalizes HTTP requests from remote # machines by converting any %XX character # substitutions to their ASCII equivalent. This is # very useful for doing things like defeating hostile # attackers trying to stealth themselves from IDSs by # mixing these substitutions in with the request. # Specify the port numbers you want it to analyze as arguments. # You may also specify -unicode to turn off detection of # UNICODE directory traversal, etc attacks. Use -cginull to # turn off detection of CGI NULL code attacks. preprocessor http_decode: 80 2301 -unicode -cginull # unidecode: normalize HTTP/detect UNICODE attacks # ------------------------------------------------ # Works much the same as http_decode, but does a better # job of categorizing and identifying UNICODE attacks, # recommended as a potential replacement for http_decode. # preprocessor unidecode: 80 -unicode -cginull # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual # 4-byte encoding that is used by default. This preprocessor # normalized RPC traffic in much the same way as the http_decode # preprocessor. This plugin takes the ports numbers that RPC # services are running on as arguments. #preprocessor rpc_decode: 111 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. This preprocessor # uses the Back Orifice "encryption" algorithm to search for # traffic conforming to the Back Orifice protocol (not BO2K). # This preprocessor can take two arguments. The first is "-nobrute" # which turns off the plugin's brute forcing routine (brute forces # the key space of the protocol to find BO traffic). The second # argument that can be passed to the routine is a number to use # as the default key when trying to decrypt the traffic. The # default value is 31337 (just like BO). Be aware that turning on # the brute forcing option runs the risk of impacting the overall # performance of Snort, you've been warned... #preprocessor bo: -nobrute # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from # telnet and ftp traffic. It works in much the same way as the # http_decode preprocessor, searching for traffic that breaks up # the normal data stream of a protocol and replacing it with # a normalized representation of that traffic so that the "content" # pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. #preprocessor telnet_decode # portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. preprocessor portscan: $HOME_NET 5 5 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical # to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks # in a whitespace-delimited list. # preprocessor portscan-ignorehosts: $DNS_SERVERS # Spade: the Statistical Packet Anomaly Detection Engine #------------------------------------------------------- # READ the README.Spade file before using this plugin! # # See http://www.silicondefense.com/spice/ for more info # # Spade is a Snort plugin to report unusual, possibly # suspicious, packets. Spade will review the packets # received by Snort, find those of interest (TCP SYNs # into your homenets, if any), and report those packets # that it believes are anomalous along with an anomaly # score. To enable spp_anomsensor, you must have a # line of this form in your snort configuration file: # # preprocessor spade: <anom-report-thresh> <state-file> # <log-file> <prob-mode> <checkpoint-freq> [-corrscore] # # set this to a directory Spade can read and write to # store its files # # var SPADEDIR . # # preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 # # put a list of the networks you are interested in Spade observing packets # going to here; separate these by spaces # # preprocessor spade-homenet: 0.0.0.0/0 # # this causes Spade to adjust the reporting threshold automatically # the first argument is the target rate of alerts for normal circumstances # (0.01 = 1% or you can give it an hourly rate) after the first hour (or # however long the period is set to in the second argument), the reporting # threshold given above is ignored you can comment this out to have the # threshold be static, or try one of the other adapt methods below # preprocessor spade-adapt3: 0.01 60 168 # # other possible Spade config lines: # adapt method #1 #preprocessor spade-adapt: 20 2 0.5 # adapt method #2 #preprocessor spade-adapt2: 0.01 15 4 24 7 # offline threshold learning #preprocessor spade-threshlearn: 200 24 # periodically report on the anom scores and count of packets seen #preprocessor spade-survey: $SPADEDIR/survey.txt 60 # print out known stats about packet feature #preprocessor spade-stats: entropy uncondprob condprob # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To make use # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. # General configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments # # output alert_syslog: LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: snort.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # output database: log, mysql, user=snort password=snort dbname=snort2 host=loca lhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # xml: xml logging # ---------------- # See the README.xml file for more information about configuring # and using this plugin. # # output xml: log, file=/var/log/snortxml # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with barnyard (the new alert/log processor), most of the overhead # for logging and alerting to various slow storage mechanisms # such as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 # trap_snmp: SNMP alerting for Snort # ------------------------------------------------------------- # Read the README-SNMP file for more information on enabling and using this # plug-in. # # # The SnmpTrapGenerator outputplugin requires several parameters # The parameters depend on the Snmpversion that is used (specified) # For the SNMPv2c case the paremeters will be as follows # alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber> # <hostName> <community> # # For SNMPv2c traps # #output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener myCommunity # # For SNMPv2c informs #output trap_snmp: alert, 7, inform -v 2c -p 162 myTrapListener myCommunity # # For SNMPv3 traps with # security name = snortUser # security level = authentication and privacy # authentication parameters : # authentication protocol = SHA , # authentication pass phrase = SnortAuthPassword # privacy (encryption) parameters # privacy protocol = DES, # privacy pass phrase = SnortPrivPassword # #output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener #For SNMPv3 informs with authentication and encryption #output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog # and a mysql database. # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost # } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \ # flags:A+;) # # Include classification & priority settings # #include classification.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your own # custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula <rgula () securitywizards com> of Network Security Wizards # Max Vision <vision () whitehats com> # Martin Markgraf <martin () mail du gtn com> # CyberPsychotic <fygrave () tigerteam net> # Nick Rogness <nick () rapidnet com> # Jim Forster <jforster () rapidnet com> # Scott McIntyre <scott () whoi edu> # Tom Vandepoel <Tom.Vandepoel () ubizen com> # Brian Caswell <bmc () snort org> # Zeno <admin () cgisecurity com> # #========================================= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #========================================= include bad-traffic.rules include exploit.rules #include scan.rules include finger.rules include ftp.rules include telnet.rules #include smtp.rules #include rpc.rules #include rservices.rules include dos.rules #include ddos.rules #include dns.rules include tftp.rules include web-cgi.rules #include web-coldfusion.rules #include web-frontpage.rules include web-iis.rules include web-misc.rules include web-attacks.rules #include sql.rules #include x11.rules #include icmp.rules #include netbios.rules include misc.rules include attack-responses.rules include backdoor.rules #include shellcode.rules #include policy.rules #include porn.rules #include info.rules #include icmp-info.rules #include virus.rules #include local.rules 6/8/2002 10:44:46 PM, Rob Hughes <rob () robhughes com> wrote:
On Fri, 2002-06-07 at 22:09, James Ashton wrote:Any ideas??? I know that this box will probably not detect all of my traffic (about 4Mbits/sec.) with any realistic rule
set. but shouldnt it do
better than this and shouldn't those flags speed it up a little?? _______________________________Need your snort.conf too, please.
_______________________________ James Ashton Network Admin / Chief of client monitoring Global Internet Tech, Inc 13840 Osprey Links Dr, #219 Orlando Fl, 32837 407-859-5218 _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users