Snort mailing list archives
Snort and Guardian
From: Michele Sibau <michele () sede civibank it>
Date: Wed, 10 Oct 2001 12:40:34 +0200
Hallo,
excuse me if i'm boring you with my question...
the problem is that i can't make Guardian work for me
i can't understand how to produce the snort.alert file
i can get only a 0917@1055-snort.alert file but guardian doesn't
work(i've also tried to rename it but... )
can you give me some ideas ?
thank you very much since now for your patience !
Michele
I'm using snort Version 1.8.1-RELEASE (Build 74)
and Guardian with this lines in the conf file..
# Snort's alert file.
alertFile /var/log/snort/snort.alert
the /var/log/snort looks like this
0816 () 1309-snort log 0820 () 1321-snort log
0822 () 1214-snort log portscan.log
0817 () 0940-snort log 0821 () 0816-snort log 0822 () 1700-snort log
0817 () 1706-snort log 0821 () 0930-snort log 0822 () 1701-snort log
0820 () 1128-snort log 0821 () 1018-snort log 0917@1055-snort.alert
0820 () 1250-snort log 0822 () 0941-snort log 0917 () 1055-snort log
due the snort conf file
#-------------------------------------------------
# http://www.snort.org Snort 1.8.0 Ruleset
# Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your
# own custom configuration:
#
# 1) Set the network variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.0.0/24
#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET 10.1.0.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
var HOME_NET any
# Set up the external network addresses as well.
# A good start may be "any"
var EXTERNAL_NET any
# Set up your SMTP servers, or simply configure them
# to HOME_NET
var SMTP $HOME_NET
# Set up your web servers, or simply configure them
# to HOME_NET
var HTTP_SERVERS $HOME_NET
# Set up your sql servers, or simply configure them
# to HOME_NET
var SQL_SERVERS $HOME_NET
# Define the addresses of DNS servers and other hosts
# if you want to ignore portscan false alarms from them...
var DNS_SERVERS $HOME_NET
###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>
# minfrag: detect small fragments
# -------------------------------
# minfrag has been deprecated as of build 26
# defrag: defragmentation support
# -------------------------------
# IP defragmentation support from Dragos Ruiu. There
# are no configuration options at this time.
#preprocessor defrag
preprocessor frag2
# stream2: TCP stream reassembly
# -------------------------------------
# TCP stream reassembly preprocessor from Chris Cramer.
# This preprocessor should always go after the defrag
# preprocessor, but before application layer decoders.
# The example below monitors ports 23 and 80, has a
# timeout after 10 seconds, and will send reassembled
# packets of max payload 16384 bytes through the
# detection engine. See README.tcpstream for more
# information and configuration options. Uncomment
# the following line and configure appropriately to
# enable this preprocessor.
#
# NOTE: This code should still be considered BETA!
# It seems to be stable, but there are still some
# issues that remain to be resolved, so make sure you
# keep an eye on your Snort sensor if you enable this plugin
# The older version which definitely had issues w/ packet
# loss is still in the code base, to use it in place of the
# new version, use "preprocessor stream: ..."
#preprocessor stream2: timeout 10, ports 21 23 80 110 143,
maxbytes 16384
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to
defeat
# stick/snot against TCP rules. Also performs full TCP stream
# reassembly, stateful inspection of TCP streams, etc. Can
statefully
# detect various portscan types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8MB)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and
generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this
tends to be very
# noisy because there are a lot of
crappy ip stack
# implementations out there
# keepstats [machine] - keep session statistics, add "machine"
to get them in
# a flat format for machine reading
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to
[number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number]
bytes
preprocessor stream4: detect_scans
# tcp stream reassembly directive
# no arguments loads the default configuration (clientonly,
ports default,
# alerts on)
# options (still comma delimited):
# clientonly - reassemble traffic for the client side of a
connection only
# serveronly - reassemble traffic for the server side of a
connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage
of stream4
# ports [list] - use the space separated list of ports in
[list], "all"
# will turn on reassembly for all ports,
"default" will turn
# on reassembly for ports 21, 23, 25, 53, 80,
143, 110, 111
# and 513
preprocessor stream4_reassemble
# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote
# machines by converting any %XX character
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request.
# Specify the port numbers you want it to analyze as arguments.
# You may also specify -unicode to turn off detection of
# UNICODE directory traversal, etc attacks. Use -cginull to
# turn off detection of CGI NULL code attacks.
preprocessor http_decode: 80 -unicode -cginull
# unidecode: normalize HTTP/detect UNICODE attacks
# ------------------------------------------------
# Works much the same as http_decode, but does a better
# job of categorizing and identifying UNICODE attacks,
# recommended as a potential replacement for http_decode.
# preprocessor unidecode: 80 -unicode -cginull
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default. This preprocessor
# normalized RPC traffic in much the same way as the http_decode
# preprocessor. This plugin takes the ports numbers that RPC
# services are running on as arguments.
preprocessor rpc_decode: 111
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. This
preprocessor
# uses the Back Orifice "encryption" algorithm to search for
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments. The first is
"-nobrute"
# which turns off the plugin's brute forcing routine (brute
forces
# the key space of the protocol to find BO traffic). The second
# argument that can be passed to the routine is a number to use
# as the default key when trying to decrypt the traffic. The
# default value is 31337 (just like BO). Be aware that turning
on
# the brute forcing option runs the risk of impacting the
overall
# performance of Snort, you've been warned...
preprocessor bo: -nobrute
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from
# telnet and ftp traffic. It works in much the same way as the
# http_decode preprocessor, searching for traffic that breaks up
# the normal data stream of a protocol and replacing it with
# a normalized representation of that traffic so that the
"content"
# pattern matching keyword can work without requiring
modifications.
# This preprocessor requires no arguments.
preprocessor telnet_decode
# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net>
# This preprocessor detects UDP packets or TCP SYN packets going
to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.
preprocessor portscan: $HOME_NET 4 3 portscan.log
# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans"
from
# specific networks or hosts to reduce false alerts. It is
typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS
# Spade: the Statistical Packet Anomaly Detection Engine
#-------------------------------------------------------
# READ the README.Spade file before using this plugin!
#
# See http://www.silicondefense.com/spice/ for more info
#
# Spade is a Snort plugin to report unusual, possibly
# suspicious, packets. Spade will review the packets
# received by Snort, find those of interest (TCP SYNs
# into your homenets, if any), and report those packets
# that it believes are anomalous along with an anomaly
# score. To enable spp_anomsensor, you must have a
# line of this form in your snort configuration file:
#
# preprocessor spade: <anom-report-thresh> <state-file>
# <log-file> <prob-mode> <checkpoint-freq>
#
# set this to a directory Spade can read and write to
# store its files
#
# var SPADEDIR .
#
# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3
50000
#
# put a list of the networks you are interested in Spade
observing packets
# going to here
#
# preprocessor spade-homenet: 0.0.0.0/0
#
# this causes Spade to adjust the reporting threshold
automatically
# the first argument is the target rate of alerts for normal
circumstances
# (0.01 = 1% or you can give it an hourly rate) after the first
hour (or
# however long the period is set to in the second argument), the
reporting
# threshold given above is ignored you can comment this out to
have the
# threshold be static, or try one of the other adapt methods
below
# preprocessor spade-adapt3: 0.01 60 168
#
# other possible Spade config lines:
# adapt method #1
#preprocessor spade-adapt: 20 2 0.5
# adapt method #2
#preprocessor spade-adapt2: 0.01 15 4 24 7
# offline threshold learning
#preprocessor spade-threshlearn: 200 24
# periodically report on the anom scores and count of packets
seen
#preprocessor spade-survey: $SPADEDIR/survey.txt 60
# print out known stats about packet feature
#preprocessor spade-stats: entropy uncondprob condprob
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP
attacks,
# directed ARP requests, and specific ARP mapping monitoring.
Takes a
# "-directed" option to turn on directed ARP request detection.
# preprocessor arpspoof
####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
output alert_syslog: LOG_AUTH LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: snort.log
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about
configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db
host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort
password=test
# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring
# and using this plugin.
#
# output xml: log, file=/var/log/snortxml
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging
# and generating alerts from Snort, the "unified" format. The
# unified format is a straight binary format for logging data
# out of Snort that is designed to be fast and efficient. Used
# with the upcoming tool "barnyard", most of the overhead for
# logging and alerting to various slow storage mechanisms such
# as databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
output alert_unified: snort.alert
output log_unified: snort.log
# trap_snmp: SNMP alerting for Snort
# -------------------------------------------------------------
# Read the README-SNMP file for more information on enabling and
using this
# plug-in.
#
#
# The SnmpTrapGenerator outputplugin requires several parameters
# The parameters depend on the Snmpversion that is used
(specified)
# For the SNMPv2c case the paremeters will be as follows
# alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p
<portNumber>
# <hostName> <community>
#
# For SNMPv2c traps
#
#output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener
myCommunity
#
# For SNMPv2c informs
#output trap_snmp: alert, 7, inform -v 2c -p 162 myTrapListener
myCommunity
#
# For SNMPv3 traps with
# security name = snortUser
# security level = authentication and privacy
# authentication parameters :
# authentication protocol = SHA ,
# authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters
# privacy protocol = DES,
# privacy pass phrase = SnortPrivPassword
#
#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l
authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword
myTrapListener
#For SNMPv3 informs with authentication and encryption
#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l
authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword
myTrapListener
# You can optionally define new rule types and associate one or
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)
#
# This example will create a rule type that will log to syslog
# and a mysql database.
# ruletype redalert
# {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort
host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE
# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is
being LEET"; \
# flags:A+;)
#
# Include classification & priority settings
#
include classification.config
####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at the following web
sites:
# http://www.snort.org
# http://www.whitehats.com
#
# The snort web site has documentation about how to
# write your own custom snort rules.
#
# The rules included with this distribution generate alerts
based on
# on suspicious activity. Depending on your network environment,
your
# security policies, and what you consider to be suspicious,
some of
# these rules may either generate false positives ore may be
detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in
your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with
caution,
# standard disclaimers apply. :)
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
# Ron Gula <rgula () securitywizards com> of Network Security
Wizards
# Max Vision <vision () whitehats com>
# Martin Markgraf <martin () mail du gtn com>
# CyberPsychotic <fygrave () tigerteam net>
# Nick Rogness <nick () rapidnet com>
# Jim Forster <jforster () rapidnet com>
# Scott McIntyre <scott () whoi edu>
# Tom Vandepoel <Tom.Vandepoel () ubizen com>
# Brian Caswell <bmc () mitre org>
#=========================================
# Include all relevant rulesets here
# by default policy, info, and virus
# rulesets are disabled
#=========================================
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include shellcode.rules
include misc.rules
include policy.rules
include info.rules
include icmp-info.rules
include virus.rules
include local.rules
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Guardian Michele Sibau (Oct 10)
- Flex Response Dilli Rajesh Kumar (Oct 10)