Re: RE: RE: flow-portscan really suitable ???

[BIZOU <bizou () voila fr>]

hum.... here is my snort.conf (2.1.1). Do you see something wrong ?

# local vars are used in local.rules
var HOME_NET any
var SNMPALLOWED [MANY_IPS]
var WEBONPROXYPORT [MANY_IPS]
var SOCKSCLIENTALLOWED [many_IPS]
var SQUIDCLIENTSALLOWED [MANY_IPS]
var SQUIDSERVALLOWED [MANY_IPS]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules

#preprocessor flow: stats_interval 0 hash 2

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 \
    no_alerts

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

# preprocessor flow-portscan: \
#        talker-sliding-scale-factor 0 \
#        talker-fixed-threshold 0 \
#        talker-sliding-threshold 0 \
#        talker-sliding-window 0 \
#        talker-fixed-window 0 \
#        server-watchnet [SOME_SUBNETS] \
#        scanner-sliding-scale-factor 0.50 \
#        scanner-fixed-threshold 300 \
#        scanner-sliding-threshold 200 \
#        scanner-fixed-window 30 \
#        src-ignore-net [MANY_IPS] \
#        alert-mode all \
#        output-mode pktkludge \
#        tcp-penalties on

preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000

preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 30, port_limit 40, timeout 40

preprocessor portscan2-ignorehosts: MANY_IPS

preprocessor portscan2-ignoreports-from: 80 111 161 21 20 25 11960 443

output alert_prelude: async, classification_file=prelude-classification.config

include classification.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules



And here is what i get when i launch it like that
.....
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory: YES alert: NO
      Apache WhiteSpace: YES alert: YES
      IIS Delimiter: YES alert: YES
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Segmentation fault





> You need to have conversation segment available as well from the
> original snort.conf.
>
> -Doug
>
> -----Original Message-----
> From: BIZOU [mailto:bizou () voila fr] 
> Sent: Thursday, March 04, 2004 11:50 AM
> To: snort-users () lists sourceforge net
> Subject: Re: RE: [Snort-users] flow-portscan really suitable ???
>
>
> Well, i'd like to use portscan2 again, but when i try to use it in the
> config and disable flow-portscan, i receive a segfault just when snort
> try to load conversation/portscan2. And i've seen somewhere else that
> portscan2 was disabled since 2.1.1 (although it is still present in
> src/preprocessor/). Can you confirm if it's really still available ? and
> in this case, is there a special statement to insert in the config ?
> Thanks
>
>
>
>
> > You can still use Portscan2 thankfully by just copying back the 
> > sections from an old config. I have to agree here about flow-portscan.
>
> > Portscan2 works nicely for me an rarely shows false positives. I still
>
> > haven't seen anything from flow-portscan besides false positives and 
> > considering
> > that- even when it shows the false positives, it doesn't report any
> > useful data (with msg or pktkludge). I've also only seen responses
> from
> > people saying, "Use pktkludge, it's in the documentation." Well, I
> have,
> > and it still doesn't produce any useful data anywhere that I can see
> no
> > matter what settings I put for anything. 
> >
> > My question is this... Is anyone using flow-portscan effectively and 
> > getting results such that you can see that a system is scanning your 
> > hosts for port 25, etc.? If so, can you post your settings for this? 
> > Neither myself nor my colleagues who have used Snort for years have 
> > been able to get this to work at all. We are all concerned that 
> > portscan2 will be removed, and then we will no longer be able to see 
> > any scanning activity using Snort.
> >
> > -Doug
> >
> > -----Original Message-----
> > From: BIZOU [mailto:bizou () voila fr]
> > Sent: Thursday, March 04, 2004 11:10 AM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] flow-portscan really suitable ???
> >
> >
> > Hi,
> >
> > I've been working on snort 2.1.1 for a few days. I was previously with
>
> > snort 2.0.5. I had to change my portscan2 configuration into 
> > flow-portscan and ... well i dislike it Indeed, i tuned my portscan2 
> > preprocessor with scanner-max 256, target_max 1024, target_limit 30, 
> > port_limit 40, timeout 40 and it was quite fine. I used 
> > portscan2-ignorehost and ignore-port too. I catched MydoomB scans, 
> > Blaster.C or B (don't remember) scans, nmap scan.... Now with 
> > flow-portscan, i have nothing except flase positive scans I'm managing
>
> > 6 NIDS in a wide environment so i cannot define a HOME_NET or wathever
>
> > defined variable
> >
> > When i watched at my prelude reporting GUI this morning (i use a 
> > prelude framework for alerting) i only saw false scan alerts. I tried 
> > to configure flow-portscan in several way, i cannot succeed in having 
> > correct results
> >
> > So please,
> > 1 - tell me that it wil be possible again to use portscan2 in future
> > releases 2 - Tell me a way to configure correctly and simply
> > flow-portscan (without a learning time ) 3 - Tell me a way to add
> > flow-portscan ignore port from 4 - Tell me that destination port will
> be
> > present in pktkludge soon
> >
> >
> > ------------------------------------------
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IBM Linux Tutorials
> > Free Linux tutorial presented by Daniel Robbins, President and CEO of 
> > GenToo technologies. Learn everything from fundamentals to system 
> > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ------------------------------------------

> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr 




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users