Menu
▾
▴
Re: [Snort-inline-users] =?iso-2022-jp?b?c25vcnRfaW5saW5lLTIuNi4xLjUg?= =?iso-2022-jp?b?cHJvYmxlbXMgGyRCISQbKEJwbGVhc2UgaGVscCBtZSAh?=
|
From: ChunXin <ch...@os...> - 2007-10-12 04:57:45
|
my snort_inline.conf as follow :
-------------------------------------------------------------------
### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var DNS_SERVERS any
# Ports you run web servers on
## include somefile.rules
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
#ports you want to look for SSH on
var SSH_PORTS 22
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
servers.
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all
# Path to your rules files (this can be a relative path)
var RULE_PATH /usr/local/snort_inline/etc/snort_rules
#
config layer2resets: 00:06:76:DD:5F:E3
#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
dynamicpreprocessor directory
/usr/local/snort_inline/lib/snort_dynamicpreprocessor/
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
dynamicengine
/usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
# dynamicdetection file
/usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
#
### Preprocessors
#
# The third line tells which sources to never drop, it is very, very
important to add your home net
# and you dns servers to this list.
#
#example:
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
#preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
192.168.1.13
# and you dns servers to this list.
#
#example:
#preprocessor bait-and-switch: max_entries 200,log,insert_before
#preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
# Done by IPTables. Iptables assembles fragments when we use connection
# tracking; therefore, we don't have to use frag2
# preprocessor frag2
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 655360
#preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
#
#Stream4 with inline support example
preprocessor stream4:
disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
#preprocessor stream4:
disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
, max_sessions 32768, memcap 36700160
#
#preprocessor stream4: disable_evasion_alerts, \
# stream4inline, \
# enforce_state drop, \
# memcap 134217728, \
# timeout 3600, \
# truncate, \
# window_size 3000
#
#preprocessor stream4_reassemble: both, favor_new
preprocessor stream4_reassemble
#
# Example:
preprocessor clamav: ports all !22 !443, toclientonly, dbdir
/usr/local/clamav/share/clamav, dbreload-time 43200
#
#clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
dbreload-time 43200
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
preprocessor bo
# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
#
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
### Logging alerts of outbound attacks
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
### If you want to log the contents of the dropped packets, remove comment
#output log_tcpdump: tcpdump.log
# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules
-------------------------------------------------------------------
Will Metcalf 写道:
> send your snort_inline.conf please....
>
> Regards,
>
> Will
>
> On 10/11/07, ChunXin <ch...@os...> wrote:
>
>> I am using snort_inline-2.6.1.5,but I encountered many problems
>>
>> 1, my network topological graph as follow :
>>
>>
>> {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>> 2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>> When I use nmap scan web server , The snort_inline always stop and on
>> the screen showed "Segmentation fault"
>>
>> I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>> showed :
>> --------------------------------------------------------------------------------------------------
>> gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3, "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>> I tracked several times ,every time that like this information , and
>> the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>> 3, my snort_inline-2.6.1.5 configure options as follow :
>> ./configure --prefix=/usr/local/snort_inline --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>> --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>> --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>> --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> Best Regards
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems? Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
|
