Can you see anything wrong with these rules/snort.conf?

["Tom Fulton" <tfulton9909 () comcast net>]

Could you tell me if you see anything that looks wrong with these three
things?

(I've had to star our a couple words: s*x & P**N because the mail filters
wont let me send this email)

So I pulled out the laptop and am only running my two pcs with same type of
NIC via a 10/100 workgroup hub.  I can see traffic.  I'm running Snort from
my Linux box and I've copied over my rules from the laptop.  I can see "USER
administrator" being passed in the text field.  I can run Ethereal and see
everything, too.  So I wonder if my rules are bad?


1)
Here is my rule for FTP:
alert tcp any any -> any 21 (content: "USER administrator"; msg: "FTP root
login2";)


2)
Here is my rule for P**N:
alert tcp any 80 -> any any (msg: "P**N s*x"; content: "s*x";)

I go to a browser and GET a file called s*x.htm and it has the word: s*x on
the htm.


3)
Here is my snort.conf:

#--------------------------------------------------
#   http://www.snort.org     Snort 2.0.0 Ruleset
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id: snort.conf,v 1.124 2003/05/16 02:52:41 cazz Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your 
# own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently 
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS 
# which will be always initialized to IP address and 
# netmask of the network interface which you run
# snort at.  Under Windows, this must be specified
# as $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET any

# Set up the external network addresses as well.  
# A good start may be "any"

var EXTERNAL_NET any

# Configure your server lists.  This allows snort to only look for attacks #
to systems that have a service up.  Why look for HTTP attacks if you are #
not running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.  

# List of DNS servers on your network 
var DNS_SERVERS 216.148.227.68

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to look for attacks 
# destined to a specific application only on the ports that application #
runs on.  For example, if you run a web server on port 8081, set your #
HTTP_PORTS variable like this: # # var HTTP_PORTS 8081 # # Port lists must
either be continuous [eg 80:8080], or a single port [eg 80]. # We will
adding support for a real list of ports in the future.

# Ports you run web servers on
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
# 
# AIM servers.  AOL has a habit of adding new AIM servers, so instead of 
# modifying the signatures when they do, we add them to this list of 
# servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]


# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort 

# Configure the snort decoder:
# ============================
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# config disable_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts


# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very #
limited resources: # # config detection: search-method lowmem


###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This plugin will also
detect # people launching fragmentation attacks (usually DoS) against hosts.
No # arguments loads the default configuration of the preprocessor, which is
a 
# 60 second timeout and a 4MB fragment buffer. 

# The following (comma delimited) options are available for frag2
#    timeout [seconds] - sets the number of [seconds] than an unfinished 
#                        fragment will be kept around waiting for
completion,
#                        if this time expires the fragment will be flushed
#    memcap [bytes] - limit frag2 memory usage to [number] bytes
#                      (default:  4194304)
#
#    min_ttl [number] - minimum ttl to accept
# 
#    ttl_limit [number] - difference of ttl to accept without alerting
#                         will cause false positves with router flap
# 
# Frag2 uses Generator ID 113 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Oversized fragment (reassembled frag > 64k bytes)
#   2       Teardrop-type attack

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat 
# stick/snot against TCP rules.  Also performs full TCP stream 
# reassembly, stateful inspection of TCP streams, etc.  Can statefully #
detect various portscan types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608) # options
(options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be very
#                           noisy because there are a lot of crappy ip stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#
#   min_ttl [number]       - set a minium ttl that snort will accept to
#                            stream reassembly
#
#   ttl_limit [number]     - differential of the initial ttl on a session
versus
#                             the normal that someone may be playing games.
#                             Routing flap may cause lots of false
positives.
# 
#   keepstats [machine|binary] - keep session statistics, add "machine" to 
#                         get them in a flat format for machine reading, add
#                         "binary" to get them in a unified binary output 
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number] seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes
#   log_flushed_streams - if an event is detected on a stream this option
will
#                         cause all packets that are stored in the stream4
#                         packet buffers to be flushed to disk.  This only 
#                         works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

preprocessor stream4: detect_scans, disable_evasion_alerts

# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),  
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client side of a connection only
#   serveronly - reassemble traffic for the server side of a connection only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of stream4
#   ports [list] - use the space separated list of ports in [list], "all" 
#                  will turn on reassembly for all ports, "default" will
turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
#                  and 513

preprocessor stream4_reassemble

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote 
# machines by converting any %XX character 
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request. 
# Specify the port numbers you want it to analyze as arguments. # # Major
code cleanups thanks to rfp #
# unicode          - normalize unicode
# iis_alt_unicode  - %u encoding from iis 
# double_encode    - alert on possible double encodings
# iis_flip_slash   - normalize \ as /
# full_whitespace  - treat \t as whitespace ( for apache )
#
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       UNICODE attack
#   2       NULL byte attack

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default.  This preprocessor
# normalized RPC traffic in much the same way as the http_decode #
preprocessor.  This plugin takes the ports numbers that RPC 
# services are running on as arguments.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  Takes no arguments in 2.0. #

# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from # telnet
and ftp traffic.  It works in much the same way as the 
# http_decode preprocessor, searching for traffic that breaks up # the
normal data stream of a protocol and replacing it with 
# a normalized representation of that traffic so that the "content" #
pattern matching keyword can work without requiring modifications. # This
preprocessor requires no arguments. # Portscan uses Generator ID 109 and
does not generate any SID currently.

preprocessor telnet_decode

# Portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This
preprocessor detects UDP packets or TCP SYN packets going to # four
different ports in less than three seconds. "Stealth" TCP # packets are
always detected, regardless of these settings. # Portscan uses Generator ID
100 and uses the following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Portscan detect
#   2       Inter-scan info
#   3       Portscan End

preprocessor portscan: $HOME_NET 4 3 /var/log/portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific
networks or hosts to reduce false alerts. It is typical # to see many false
alerts from DNS servers so you may want to # add your DNS servers here. You
can all multiple hosts/networks # in a whitespace-delimited list. #
#preprocessor portscan-ignorehosts: 0.0.0.0

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks, 
# unicast ARP requests, and specific ARP mapping monitoring.  To make use #
of this preprocessor you must specify the IP and hardware address of hosts
on # the same layer 2 segment as you.  Specify one host IP MAC combo per
line. # Also takes a "-unicast" option to turn on unicast ARP request
detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

# Conversation
#------------------------------------------
# This preprocessor tracks conversations for tcp, udp and icmp traffic.  It
# is a prerequisite for running portscan2. # # allowed_ip_protcols 1 6 17
#      list of allowed ip protcols ( defaults to any )
#
# timeout [num]
#      conversation timeout ( defaults to 60 )
#
#
# max_conversations [num] 
#      number of conversations to support at once (defaults to 65335)
#
#
# alert_odd_protocols
#      alert on protocols not listed in allowed_ip_protocols
#
# preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000 # # Portscan2
#-------------------------------------------
# Portscan 2, detect portscans in a new and exciting way.  You must enable #
spp_conversation in order to use this preprocessor. # # Available options:
#       scanners_max [num] 
#       targets_max [num]
#       target_limit [num]
#       port_limit [num]
#       timeout [num]
#       log [logdir]
#
#preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
port_limit 20, timeout 60

# Too many false alerts from portscan2? Tone it down with
# portscan2-ignorehosts!
#
# A space delimited list of addresses in CIDR notation to ignore # #
preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24 #

# Experimental Perf stats
# -----------------------
# No docs. Highly subject to change.
# 
# preprocessor perfmonitor: console flow events time 10

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use. # General
configuration for output plugins is of the form: # # output
<name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to
syslog # ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also #
optionally specify a particular hostname/port.  Under Win32, the # default
hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours
should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # #
[Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH
LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output
alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring # and
using this plugin. # # output database: log, mysql, user=root password=test
dbname=db host=localhost # output database: alert, postgresql, user=snort
dbname=snort # output database: log, unixodbc, user=snort dbname=snort #
output database: log, mssql, dbname=snort user=snort password=test

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging # and
generating alerts from Snort, the "unified" format.  The # unified format is
a straight binary format for logging data 
# out of Snort that is designed to be fast and efficient.  Used # with
barnyard (the new alert/log processor), most of the overhead # for logging
and alerting to various slow storage mechanisms # such as databases or the
network can now be avoided.  
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

# You can optionally define new rule types and associate one or 
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump. # ruletype
suspicious # {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) #
# This example will create a rule type that will log to syslog # and a mysql
database. # ruletype redalert # {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)

#
# Include classification & priority settings
#

include classification.config

#
# Include reference systems
#

include reference.config

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org # # The snort
web site has documentation about how to write your own 
# custom snort rules.
#
# The rules included with this distribution generate alerts based on # on
suspicious activity. Depending on your network environment, your # security
policies, and what you consider to be suspicious, some of # these rules may
either generate false positives ore may be detecting # activity you consider
to be acceptable; therefore, you are # encouraged to comment out rules that
are not applicable in your # environment. # # Note that using all of the
rules at the same time may lead to # serious packet loss on slower machines.
YMMV, use with caution, # standard disclaimers apply. :) # # The following
individuals contributed many of rules in this # distribution. # # Credits:
#   Ron Gula <rgula () securitywizards com> of Network Security Wizards
#   Max Vision <vision () whitehats com>
#   Martin Markgraf <martin () mail du gtn com>
#   Fyodor Yarochkin <fygrave () tigerteam net>
#   Nick Rogness <nick () rapidnet com>
#   Jim Forster <jforster () rapidnet com>
#   Scott McIntyre <scott () whoi edu>
#   Tom Vandepoel <Tom.Vandepoel () ubizen com>
#   Brian Caswell <bmc () snort org>
#   Zeno <admin () cgisecurity com>
#   Ryan Russell <ryan () securityfocus com>
# 
#=========================================
# Include all relevant rulesets here 
# 
# shellcode, policy, info, backdoor, and virus rulesets are 
# disabled by default.  These require tuning and maintance.  
# Please read the included specific file for more information.
#=========================================

include $RULE_PATH/bad-traffic.rules
# include $RULE_PATH/exploit.rules
# include $RULE_PATH/scan.rules
# include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
# include $RULE_PATH/rservices.rules
# include $RULE_PATH/dos.rules
# include $RULE_PATH/ddos.rules
# include $RULE_PATH/dns.rules
# include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
# include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

# include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
include $RULE_PATH/p**n.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
# include /etc/snort/local.rules

# alert tcp any any -> any 12345
# alert tcp any any -> 67.174.222.162 80\ (msg:"web access!";)


 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Tom Fulton
Sent: Wednesday, June 02, 2004 2:42 PM
To: 'Jeff Coppock'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Cant see alert for rule


Interesting...
My laptop (snortbox) is using a 100MB NIC

My two other boxes are using the Intel 10/100/1000 NIC

Since the little Linksys 10/100 5-port workgroup hub is in the middle,
shouldn't it all level out to 100MB?

If not, what can I do?  This is a lab so no prob switching things around...

Should I pull the laptop out of the equation and just run the two Intel
10/100/1000 NICs? (install Snort on the attacker?  But if I do that, will I
just end up with the same problem?

thanks

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeff Coppock
Sent: Wednesday, June 02, 2004 2:20 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Cant see alert for rule


On Wed, 2 Jun 2004 13:37:04 -0700
"Tom Fulton" <tfulton9909 () comcast net> wrote:

> I pulled out my Linksys switch and put in an old 10/100 5-port
> workgroup hub.  Same problem.
>  
> Any one have any ideas?

10/100 hubs actually have a switch between the 10Mbps segment and the
100Mbps segment to provide connectivity between them.  So,  if the snort box
is on a different speed link than the other PC's, the snort box will still
not see any of the traffic between the other two PC's.

jc


-- 
Jeff Coppock            Systems Engineer
Diggin' Debian          Admin and User


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate
today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate
today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users