Snort mailing list archives
Hi Im new to Snort and I keep getting wierd errors....please help !
From: "Gill, Rob" <rob.gill () eds com>
Date: Fri, 25 Apr 2003 18:04:08 -0400
To all, Thanks in advance for any and all help you give me as I realize I am new to Snort and some of my statements may seem a bit slow :0). I loaded Snort 2.0 on a win2k pro machine and configured using IDSCenter 1.1 RC2 so the snort.conf looked like this: #-------------------------------------------------- # Snort IDScenter ruleset # Contact: eclipse () packx net / iuk () gmx ch #-------------------------------------------------- # Generated using IDScenter 1.1 RC2 ################################################### # You can take the following steps to create your # own custom configuration: # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set ################################################### ################################################### # Step #1: Set the network variables: # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. ################################################### var HOME_NET 130.170.97.0/25 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH e:\Snort\rules\ # frag2: IP defragmentation support # ------------------------------- # This preprocessor performs IP defragmentation. This plugin will also detect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a # 60 second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 # timeout [seconds] - sets the number of [seconds] than an unfinished # fragment will be kept around waiting for completion, # if this time expires the fragment will be flushed # memcap [bytes] - limit frag2 memory usage to [number] bytes # (default: 4194304) # # min_ttl [number] - minimum ttl to accept # # ttl_limit [number] - difference of ttl to accept without alerting # will cause false positves with router flap # # Frag2 uses Generator ID 113 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Oversized fragment (reassembled frag > 64k bytes) # 2 Teardrop-type attack preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - turn off the possibly noisy mitigation of # overlapping sequences. # # # min_ttl [number] - set a minium ttl that snort will accept to # stream reassembly # # ttl_limit [number] - differential of the initial ttl on a session versus # the normal that someone may be playing games. # Routing flap may cause lots of false positives. # # keepstats [machine|binary] - keep session statistics, add "machine" to # get them in a flat format for machine reading, add # "binary" to get them in a unified binary output # format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream this option will # cause all packets that are stored in the stream4 # packet buffers to be flushed to disk. This only # works when logging in pcap mode! # # Stream4 uses Generator ID 111 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Stealth activity # 2 Evasive RST packet # 3 Evasive TCP packet retransmission # 4 TCP Window violation # 5 Data on SYN packet # 6 Stealth scan: full XMAS # 7 Stealth scan: SYN-ACK-PSH-URG # 8 Stealth scan: FIN scan # 9 Stealth scan: NULL scan # 10 Stealth scan: NMAP XMAS scan # 11 Stealth scan: Vecna scan # 12 Stealth scan: NMAP fingerprint scan stateful detect # 13 Stealth scan: SYN-FIN scan # 14 TCP forward overlap preprocessor stream4: detect_scans # TCP stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble: clientonly # http_decode: normalize HTTP requests # ------------------------------------ # http_decode normalizes HTTP requests from remote # machines by converting any %XX character # substitutions to their ASCII equivalent. This is # very useful for doing things like defeating hostile # attackers trying to stealth themselves from IDSs by # mixing these substitutions in with the request. # Specify the port numbers you want it to analyze as arguments. # # Major code cleanups thanks to rfp # # unicode - normalize unicode # iis_alt_unicode - %u encoding from iis # double_encode - alert on possible double encodings # iis_flip_slash - normalize \ as / # full_whitespace - treat \t as whitespace ( for apache ) # # for that GID: # SID Event description # ----- ------------------- # 1 UNICODE attack # 2 NULL byte attack preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual # 4-byte encoding that is used by default. This preprocessor # normalized RPC traffic in much the same way as the http_decode # preprocessor. This plugin takes the ports numbers that RPC # services are running on as arguments. # The RPC decode preprocessor uses generator ID 106 and does not # generate any SIDs at this time. preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. This preprocessor # uses the Back Orifice "encryption" algorithm to search for # traffic conforming to the Back Orifice protocol (not BO2K). # This preprocessor can take two arguments. The first is "-nobrute" # which turns off the plugin´s brute forcing routine (brute forces # the key space of the protocol to find BO traffic). The second # argument that can be passed to the routine is a number to use # as the default key when trying to decrypt the traffic. The # default value is 31337 (just like BO). Be aware that turning on # the brute forcing option runs the risk of impacting the overall # performance of Snort, you´ve been warned... # The Back Orifice detector uses Generator ID 105 and uses the # following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Back Orifice traffic detected preprocessor bo: -nobrute # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from # telnet and ftp traffic. It works in much the same way as the # http_decode preprocessor, searching for traffic that breaks up # the normal data stream of a protocol and replacing it with # a normalized representation of that traffic so that the "content" # pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. # Portscan uses Generator ID 109 and does not generate any SID currently. preprocessor telnet_decode # portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. # Portscan uses Generator ID 100 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Portscan detect # 2 Inter-scan info # 3 Portscan End preprocessor portscan: $HOME_NET 10 3 E:\IDScenter\portscan.log # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To make use # of this preprocessor you must specify the IP and hardware address of hosts # on the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Unicast ARP request # 2 Etherframe ARP mismatch (src) # 3 Etherframe ARP mismatch (dst) # 4 ARP cache overwrite attack preprocessor arpspoof #################################################################### # Step #3: Configure output plugins # # General configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your own # custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula <rgula () securitywizards com> of Network Security Wizards # Max Vision <vision () whitehats com> # Martin Markgraf <martin () mail du gtn com> # Fyodor Yarochkin <fygrave () tigerteam net> # Nick Rogness <nick () rapidnet com> # Jim Forster <jforster () rapidnet com> # Scott McIntyre <scott () whoi edu> # Tom Vandepoel <Tom.Vandepoel () ubizen com> # Brian Caswell <bmc () snort org> # Zeno <admin () cgisecurity com> # Ryan Russell <ryan () securityfocus com> # #========================================= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #========================================= # Classification configuration file include E:\Snort\etc\classification.config # Rule/Signature files: include E:\Snort\rules\bad-traffic.rules include E:\Snort\rules\nntp.rules include E:\Snort\rules\oracle.rules #include E:\Snort\rules\other-ids.rules #include E:\Snort\rules\p2p.rules #include E:\Snort\rules\policy.rules #include E:\Snort\rules\pop2.rules include E:\Snort\rules\pop3.rules include E:\Snort\rules\rpc.rules include E:\Snort\rules\rservices.rules include E:\Snort\rules\scan.rules include E:\Snort\rules\smtp.rules include E:\Snort\rules\snmp.rules include E:\Snort\rules\sql.rules include E:\Snort\rules\telnet.rules include E:\Snort\rules\virus.rules include E:\Snort\rules\web-attacks.rules include E:\Snort\rules\web-cgi.rules include E:\Snort\rules\web-client.rules include E:\Snort\rules\web-coldfusion.rules include E:\Snort\rules\web-php.rules include E:\Snort\rules\web-frontpage.rules include E:\Snort\rules\web-misc.rules include E:\Snort\rules\web-iis.rules include E:\Snort\rules\porn.rules include E:\Snort\rules\dos.rules include E:\Snort\rules\netbios.rules #include E:\Snort\rules\mysql.rules #include E:\Snort\rules\multimedia.rules include E:\Snort\rules\misc.rules #include E:\Snort\rules\local.rules #include E:\Snort\rules\info.rules include E:\Snort\rules\imap.rules #include E:\Snort\rules\icmp-info.rules include E:\Snort\rules\ftp.rules include E:\Snort\rules\finger.rules include E:\Snort\rules\exploit.rules #include E:\Snort\rules\experimental.rules include E:\Snort\rules\deleted.rules include E:\Snort\rules\dns.rules include E:\Snort\rules\ddos.rules include E:\Snort\rules\chat.rules include E:\Snort\rules\backdoor.rules include E:\Snort\rules\attack-responses.rules include E:\Snort\rules\icmp.rules #include classification.config Unfortunately, when I launch Snort, I keep getting the following messages: 04/25-14:47:59.541381 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.11:138 -> 130.170.97.127:138 04/25-14:48:32.840677 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.21:138 -> 130.170.97.127:138 04/25-14:48:34.562718 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.16:138 -> 130.170.97.127:138 04/25-14:48:38.265470 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.21:138 -> 130.170.97.127:138 04/25-14:49:04.954665 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.16:137 -> 130.170.97.127:137 04/25-14:49:15.496007 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.13:138 -> 130.170.97.127:138 04/25-14:49:25.264974 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.15:138 -> 130.170.97.127:138 04/25-14:49:57.660548 [**] [1:1620:3] <\Device\NPF_{6948C178-4632-4F72-96CF-CFD1B6437507}> BAD TRAFFIC Non-Standard IP protocol [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {UDP} 130.170.97.15:137 -> 130.170.97.127:137 Our broadcast IP for this subnet is 130.170.96.127 (255.255.255.128). I know that windows uses port 137 and 138 to do Netbios resolutions....what did I do wrong that Snort alarms on normal NetBios broadcast resolutions? Thx Rob
Current thread:
- Hi Im new to Snort and I keep getting wierd errors....please help ! Gill, Rob (Apr 25)