From: Will M. <wil...@gm...> - 2007-10-15 16:18:04
|
how are you running your nmap scan? I can't seem to reproduce your issue... Regards, Will On 10/15/07, ChunXin <ch...@os...> wrote: > > > I tried this method : iptables -A FORWARD -j NFQUEUE && sonrt_inline -Q -c > snort_inline.conf > but the problem still exists > : ( There are other good suggestions? Thanks a lot ! > > ChunXin > > sno...@li... 写道: > Send Snort-inline-users mailing list submissions to > sno...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > or, via email, send a message with subject or body 'help' to > sno...@li... > > You can reach the person managing the list at > sno...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Snort-inline-users digest..." > > > Today's Topics: > > 1. Re: snort_inline-2.6.1.5 problems ?please help me ! > (Victor Julien) > 2. snort_inline-2.6.1.5 problems > =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?= (ChunXin) > 3. > =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?= > =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?= > (Victor Julien) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 12 Oct 2007 10:16:13 +0200 > From: Victor Julien <li...@in...> > Subject: Re: [Snort-inline-users] snort_inline-2.6.1.5 problems > ?please help me ! > To: sno...@li... > Message-ID: <470...@in...> > Content-Type: text/plain; charset=UTF-8 > > Hi > > I see you are both using ip_queue > > > 2, And i started my snort_inline by this way : "iptables -A FORWARD -j > QUEUE && sonrt_inline -Q -c snort_inline.conf ", > > > > and compiling for nfqueue. > > > > --enable-react --enable-nfnetlink --enable-clamav > > > I have no idea what the results of this are. So please try removing > '--enable-nfnetlink' or use 'iptables -A FORWARD -j NFQUEUE' and try > again... > > Cheers, > Victor > > > > ------------------------------ > > Message: 2 > Date: Mon, 15 Oct 2007 19:35:43 +0800 > From: ChunXin <ch...@os...> > Subject: [Snort-inline-users] snort_inline-2.6.1.5 problems > =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?= > To: sno...@li..., > wil...@gm... > Message-ID: <471...@os...> > Content-Type: text/plain; charset="gb2312" > > I am using snort_inline-2.6.1.5??but I encountered many problems > > 1, my network topological graph as follow : > > > {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server > 192.168.1.2 (web) } > > > 2, And i started my snort_inline by this way : "iptables -A FORWARD -j > QUEUE && sonrt_inline -Q -c snort_inline.conf ", > When I use nmap scan web server , The snort_inline always stop and on > the screen showed "Segmentation fault" > > I use "strace" check his running status (strace -f -p 5668 ,5668 is pid > of snort_inline), when snort_inline stoped,the screen > showed : > -------------------------------------------------------------------------------------------------- > gettimeofday({1192126318, 360095}, NULL) = 0 > write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44 > write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49 > write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51 > write(5, "\n", 1) = 1 > write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105 > write(3, > "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"..., > 190) = 190 > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > > ----------------------------------------------------------------------------------------------------- > > I tracked several times ??every time that like this information , and > the "(portscan)" word never changed! > It's a bug of sfportscan !? or I have not done right? > > > 3, my snort_inline-2.6.1.5 configure options as follow : > ./configure --prefix=/usr/local/snort_inline > --enable-pthread > --enable-stream4udp --enable-dynamicplugin --enable-timestats > --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2 > --enable-react --enable-nfnetlink --enable-clamav > --with-mysql=/usr/local/mysql > --with-libpcap-includes=/usr/local/libpcap/include > --with-libpcap-libraries=/usr/local/libpcap/lib > --with-clamav-includes=/usr/local/clamav/include > --with-clamav-defdir=/usr/local/clamav/share/clamav > > 4 , and i wanna know ,what's the best kernel version for > snort_inline-2.6.1.5 ? > > > > > my snort_inline.conf as follow : > ------------------------------------------------------------------- > > ### Network variables > var HOME_NET any > var HONEYNET any > var EXTERNAL_NET any > var SMTP_SERVERS any > var TELNET_SERVERS any > var HTTP_SERVERS any > var SQL_SERVERS any > var DNS_SERVERS any > > # Ports you run web servers on > ## include somefile.rules > var HTTP_PORTS 80 > > # Ports you want to look for SHELLCODE on. > var SHELLCODE_PORTS !80 > > # Ports you do oracle attacks on > var ORACLE_PORTS 1521 > > #ports you want to look for SSH on > var SSH_PORTS 22 > > # AIM servers. AOL has a habit of adding new AIM servers, so instead of > # modifying the signatures when they do, we add them to this list of > servers. > var AIM_SERVERS > [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] > > ### As of snort_inline 2.2.0 we drop > ### packets with bad checksums. We can > config checksum_mode: all > > # Path to your rules files (this can be a relative path) > var RULE_PATH /usr/local/snort_inline/etc/snort_rules > > # > config layer2resets: 00:06:76:DD:5F:E3 > > # > # Load all dynamic preprocessors from the install path > # (same as command line option --dynamic-preprocessor-lib-dir) > # > dynamicpreprocessor directory > /usr/local/snort_inline/lib/snort_dynamicpreprocessor/ > # > # Load a dynamic engine from the install path > # (same as command line option --dynamic-engine-lib) > # > dynamicengine > /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so > # dynamicdetection file > /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so > # > > ### Preprocessors > # > # The third line tells which sources to never drop, it is very, very > important to add your home net > # and you dns servers to this list. > # > #example: > preprocessor stickydrop: max_entries 3000,log > preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000 > #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12 > 192.168.1.13 > # and you dns servers to this list. > # > #example: > #preprocessor bait-and-switch: max_entries 200,log,insert_before > #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24 > > # Done by IPTables. Iptables assembles fragments when we use connection > # tracking; therefore, we don't have to use frag2 > # preprocessor frag2 > > preprocessor flow: stats_interval 0 hash 2 > preprocessor frag3_global: max_frags 655360 > #preprocessor frag3_global: max_frags 65536 > preprocessor frag3_engine: policy first detect_anomalies > # > > #Stream4 with inline support example > > > preprocessor stream4: > disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts > #preprocessor stream4: > disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts > , max_sessions 32768, memcap 36700160 > # > #preprocessor stream4: disable_evasion_alerts, \ > # stream4inline, \ > # enforce_state drop, \ > # memcap 134217728, \ > # timeout 3600, \ > # truncate, \ > # window_size 3000 > > # > #preprocessor stream4_reassemble: both, favor_new > preprocessor stream4_reassemble > # > # Example: > preprocessor clamav: ports all !22 !443, toclientonly, dbdir > /usr/local/clamav/share/clamav, dbreload-time 43200 > # > #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, > dbreload-time 43200 > > preprocessor http_inspect: global \ > iis_unicode_map unicode.map 1252 > > preprocessor http_inspect_server: server default \ > profile all ports { 80 8080 8180 } oversize_dir_length 500 > > # sizes exceed the current packet size > # no_alert_incomplete - don't alert when a single segment > # exceeds the current packet size > > preprocessor rpc_decode: 111 32771 > > # SID Event description > # ----- ------------------- > # 1 Back Orifice traffic detected > > preprocessor bo > > # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so> > > preprocessor ftp_telnet: global \ > encrypted_traffic yes \ > inspection_type stateful > > preprocessor ftp_telnet_protocol: telnet \ > normalize \ > ayt_attack_thresh 200 > > # Check nDTM commands that set modification time on the file. > preprocessor ftp_telnet_protocol: ftp server default \ > def_max_param_len 100 \ > alt_max_param_len 200 { CWD } \ > cmd_validity MODE < char ASBCZ > \ > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ > telnet_cmds yes \ > data_chan > > preprocessor ftp_telnet_protocol: ftp client default \ > max_resp_len 256 \ > bounce yes \ > telnet_cmds yes > > # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so> > > preprocessor smtp: \ > ports { 25 } \ > inspection_type stateful \ > normalize cmds \ > normalize_cmds { EXPN VRFY RCPT } \ > alt_max_command_line_len 260 { MAIL } \ > alt_max_command_line_len 300 { RCPT } \ > alt_max_command_line_len 500 { HELP HELO ETRN } \ > alt_max_command_line_len 255 { EXPN VRFY } > > > # > preprocessor sfportscan: proto { all } \ > memcap { 10000000 } \ > sense_level { low } > > # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so> > > preprocessor dcerpc: \ > autodetect \ > max_frag_size 3000 \ > memcap 100000 > > # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so> > > preprocessor dns: \ > ports { 53 } \ > enable_rdata_overflow > > > ### Logging alerts of outbound attacks > output alert_full: snort_inline-full > output alert_fast: snort_inline-fast > > ### If you want to log the contents of the dropped packets, remove comment > #output log_tcpdump: tcpdump.log > > # Include classification & priority settings > include $RULE_PATH/classification.config > include $RULE_PATH/reference.config > > ### The Drop Rules > # Enabled > include $RULE_PATH/exploit.rules > include $RULE_PATH/finger.rules > include $RULE_PATH/ftp.rules > include $RULE_PATH/telnet.rules > include $RULE_PATH/rpc.rules > include $RULE_PATH/rservices.rules > include $RULE_PATH/dos.rules > include $RULE_PATH/ddos.rules > include $RULE_PATH/dns.rules > include $RULE_PATH/tftp.rules > include $RULE_PATH/web-cgi.rules > include $RULE_PATH/web-coldfusion.rules > include $RULE_PATH/web-iis.rules > include $RULE_PATH/web-frontpage.rules > include $RULE_PATH/web-misc.rules > #include $RULE_PATH/web-client.rules > include $RULE_PATH/web-php.rules > include $RULE_PATH/sql.rules > include $RULE_PATH/x11.rules > include $RULE_PATH/icmp.rules > include $RULE_PATH/netbios.rules > include $RULE_PATH/oracle.rules > include $RULE_PATH/mysql.rules > include $RULE_PATH/snmp.rules > include $RULE_PATH/smtp.rules > include $RULE_PATH/imap.rules > include $RULE_PATH/pop3.rules > include $RULE_PATH/pop2.rules > include $RULE_PATH/web-attacks.rules > include $RULE_PATH/virus.rules > include $RULE_PATH/nntp.rules > ------------------------------------------------------------------- > > Best Regards > > ChunXin > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 3 > Date: Mon, 15 Oct 2007 14:11:44 +0200 > From: Victor Julien <li...@in...> > Subject: [Snort-inline-users] > =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?= > =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?= > To: sno...@li... > Message-ID: <471...@in...> > Content-Type: text/plain; charset=GB2312 > > Instead of resending your mail, why don't you try my suggestion from a > few days ago and report back on it? > > ChunXin wrote: > > > I am using snort_inline-2.6.1.5??but I encountered many problems > > 1, my network topological graph as follow : > > > {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server > 192.168.1.2 (web) } > > > 2, And i started my snort_inline by this way : "iptables -A FORWARD -j > QUEUE && sonrt_inline -Q -c snort_inline.conf ", > When I use nmap scan web server , The snort_inline always stop and on > the screen showed "Segmentation fault" > > I use "strace" check his running status (strace -f -p 5668 ,5668 is pid > of snort_inline), when snort_inline stoped,the screen > showed : > -------------------------------------------------------------------------------------------------- > gettimeofday({1192126318, 360095}, NULL) = 0 > write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44 > write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49 > write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51 > write(5, "\n", 1) = 1 > write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105 > write(3, > "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"..., > 190) = 190 > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > > ----------------------------------------------------------------------------------------------------- > > I tracked several times ??every time that like this information , and > the "(portscan)" word never changed! > It's a bug of sfportscan !? or I have not done right? > > > 3, my snort_inline-2.6.1.5 configure options as follow : > ./configure --prefix=/usr/local/snort_inline > --enable-pthread > --enable-stream4udp --enable-dynamicplugin --enable-timestats > --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2 > --enable-react --enable-nfnetlink --enable-clamav > --with-mysql=/usr/local/mysql > --with-libpcap-includes=/usr/local/libpcap/include > --with-libpcap-libraries=/usr/local/libpcap/lib > --with-clamav-includes=/usr/local/clamav/include > --with-clamav-defdir=/usr/local/clamav/share/clamav > > 4 , and i wanna know ,what's the best kernel version for > snort_inline-2.6.1.5 ? > > > > > my snort_inline.conf as follow : > ------------------------------------------------------------------- > > ### Network variables > var HOME_NET any > var HONEYNET any > var EXTERNAL_NET any > var SMTP_SERVERS any > var TELNET_SERVERS any > var HTTP_SERVERS any > var SQL_SERVERS any > var DNS_SERVERS any > > # Ports you run web servers on > ## include somefile.rules > var HTTP_PORTS 80 > > # Ports you want to look for SHELLCODE on. > var SHELLCODE_PORTS !80 > > # Ports you do oracle attacks on > var ORACLE_PORTS 1521 > > #ports you want to look for SSH on > var SSH_PORTS 22 > > # AIM servers. AOL has a habit of adding new AIM servers, so instead of > # modifying the signatures when they do, we add them to this list of > servers. > var AIM_SERVERS > [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] > > ### As of snort_inline 2.2.0 we drop > ### packets with bad checksums. We can > config checksum_mode: all > > # Path to your rules files (this can be a relative path) > var RULE_PATH /usr/local/snort_inline/etc/snort_rules > > # > config layer2resets: 00:06:76:DD:5F:E3 > > # > # Load all dynamic preprocessors from the install path > # (same as command line option --dynamic-preprocessor-lib-dir) > # > dynamicpreprocessor directory > /usr/local/snort_inline/lib/snort_dynamicpreprocessor/ > # > # Load a dynamic engine from the install path > # (same as command line option --dynamic-engine-lib) > # > dynamicengine > /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so > # dynamicdetection file > /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so > # > > ### Preprocessors > # > # The third line tells which sources to never drop, it is very, very > important to add your home net > # and you dns servers to this list. > # > #example: > preprocessor stickydrop: max_entries 3000,log > preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000 > #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12 > 192.168.1.13 > # and you dns servers to this list. > # > #example: > #preprocessor bait-and-switch: max_entries 200,log,insert_before > #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24 > > # Done by IPTables. Iptables assembles fragments when we use connection > # tracking; therefore, we don't have to use frag2 > # preprocessor frag2 > > preprocessor flow: stats_interval 0 hash 2 > preprocessor frag3_global: max_frags 655360 > #preprocessor frag3_global: max_frags 65536 > preprocessor frag3_engine: policy first detect_anomalies > # > > #Stream4 with inline support example > > > preprocessor stream4: > disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts > #preprocessor stream4: > disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts > , max_sessions 32768, memcap 36700160 > # > #preprocessor stream4: disable_evasion_alerts, \ > # stream4inline, \ > # enforce_state drop, \ > # memcap 134217728, \ > # timeout 3600, \ > # truncate, \ > # window_size 3000 > > # > #preprocessor stream4_reassemble: both, favor_new > preprocessor stream4_reassemble > # > # Example: > preprocessor clamav: ports all !22 !443, toclientonly, dbdir > /usr/local/clamav/share/clamav, dbreload-time 43200 > # > #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, > dbreload-time 43200 > > preprocessor http_inspect: global \ > iis_unicode_map unicode.map 1252 > > preprocessor http_inspect_server: server default \ > profile all ports { 80 8080 8180 } oversize_dir_length 500 > > # sizes exceed the current packet size > # no_alert_incomplete - don't alert when a single segment > # exceeds the current packet size > > preprocessor rpc_decode: 111 32771 > > # SID Event description > # ----- ------------------- > # 1 Back Orifice traffic detected > > preprocessor bo > > # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so> > > preprocessor ftp_telnet: global \ > encrypted_traffic yes \ > inspection_type stateful > > preprocessor ftp_telnet_protocol: telnet \ > normalize \ > ayt_attack_thresh 200 > > # Check nDTM commands that set modification time on the file. > preprocessor ftp_telnet_protocol: ftp server default \ > def_max_param_len 100 \ > alt_max_param_len 200 { CWD } \ > cmd_validity MODE < char ASBCZ > \ > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ > telnet_cmds yes \ > data_chan > > preprocessor ftp_telnet_protocol: ftp client default \ > max_resp_len 256 \ > bounce yes \ > telnet_cmds yes > > # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so> > > preprocessor smtp: \ > ports { 25 } \ > inspection_type stateful \ > normalize cmds \ > normalize_cmds { EXPN VRFY RCPT } \ > alt_max_command_line_len 260 { MAIL } \ > alt_max_command_line_len 300 { RCPT } \ > alt_max_command_line_len 500 { HELP HELO ETRN } \ > alt_max_command_line_len 255 { EXPN VRFY } > > > # > preprocessor sfportscan: proto { all } \ > memcap { 10000000 } \ > sense_level { low } > > # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so> > > preprocessor dcerpc: \ > autodetect \ > max_frag_size 3000 \ > memcap 100000 > > # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so> > > preprocessor dns: \ > ports { 53 } \ > enable_rdata_overflow > > > ### Logging alerts of outbound attacks > output alert_full: snort_inline-full > output alert_fast: snort_inline-fast > > ### If you want to log the contents of the dropped packets, remove comment > #output log_tcpdump: tcpdump.log > > # Include classification & priority settings > include $RULE_PATH/classification.config > include $RULE_PATH/reference.config > > ### The Drop Rules > # Enabled > include $RULE_PATH/exploit.rules > include $RULE_PATH/finger.rules > include $RULE_PATH/ftp.rules > include $RULE_PATH/telnet.rules > include $RULE_PATH/rpc.rules > include $RULE_PATH/rservices.rules > include $RULE_PATH/dos.rules > include $RULE_PATH/ddos.rules > include $RULE_PATH/dns.rules > include $RULE_PATH/tftp.rules > include $RULE_PATH/web-cgi.rules > include $RULE_PATH/web-coldfusion.rules > include $RULE_PATH/web-iis.rules > include $RULE_PATH/web-frontpage.rules > include $RULE_PATH/web-misc.rules > #include $RULE_PATH/web-client.rules > include $RULE_PATH/web-php.rules > include $RULE_PATH/sql.rules > include $RULE_PATH/x11.rules > include $RULE_PATH/icmp.rules > include $RULE_PATH/netbios.rules > include $RULE_PATH/oracle.rules > include $RULE_PATH/mysql.rules > include $RULE_PATH/snmp.rules > include $RULE_PATH/smtp.rules > include $RULE_PATH/imap.rules > include $RULE_PATH/pop3.rules > include $RULE_PATH/pop2.rules > include $RULE_PATH/web-attacks.rules > include $RULE_PATH/virus.rules > include $RULE_PATH/nntp.rules > ------------------------------------------------------------------- > > Best Regards > > ChunXin > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > ------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > ------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > End of Snort-inline-users Digest, Vol 16, Issue 4 > ************************************************* > > > |