由 eTony 在 08-29-2004 00:36 发表:
snort 抓包问题:
请教 snort 问题:
我的机器上有两块网卡, 一个连内网, 一个连外网, 现在snort 只抓 内网接口的数据, 我修改了home_net还是如此, 请教哪里出现了问题??
Seeking Freedom,pure Freedom!
http://211.92.88.40/~tony/
由 eTony 在 08-29-2004 20:37 发表:
难道没有人遇到这种问题吗?
Seeking Freedom,pure Freedom!
http://211.92.88.40/~tony/
由 Snoopy 在 08-29-2004 20:39 发表:
地址为0.0.0.0是否可以 ?
And then in the evening light, when the bars of freedom fall
I watch the two of you in the shadows on the wall
How in the darkness steals some of the choices from my hand
Then will I begin to under
由 smile787 在 08-29-2004 23:07 发表:
监听网卡设置如何?模式打开了吗?
由 eTony 在 08-30-2004 07:28 发表:
> quote:
>
> * * *
>
> 最初由 smile787 发表
>
> 监听网卡设置如何?模式打开了吗?
>
> * * *
#--------------------------------------------------
http://www.snort.org Snort 2.1.0 Ruleset
Contact: [email protected]
#--------------------------------------------------
$Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $
###################################################
This file contains a sample snort configuration.
You can take the following steps to create your own custom configuration:
1) Set the network variables for your network
2) Configure preprocessors
3) Configure output plugins
4) Customize your rule set
###################################################
Step #1: Set the network variables:
You must change the following variables to reflect your local network. The
variable is currently setup for an RFC 1918 address space.
You can specify it explicitly as:
var HOME_NET 10.1.1.0/24
or use global variable $
1<interfacename>_ADDRESS which will be always
2
3# initialized to IP address and netmask of the network interface which you run
4
5# snort at. Under Windows, this must be specified as
6
7# $(<interfacename>_ADDRESS), such as:
8
9# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
10
11#
12
13# var HOME_NET $eth0_ADDRESS
14
15#
16
17# You can specify lists of IP addresses for HOME_NET
18
19# by separating the IPs with commas like this:
20
21#
22
23# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
24
25#
26
27# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
28
29#
30
31# or you can specify the variable to be any IP address
32
33# like this:
34
35
36
37var HOME_NET any
38
39
40
41# Set up the external network addresses as well. A good start may be "any"
42
43var EXTERNAL_NET any
44
45
46
47# Configure your server lists. This allows snort to only look for attacks to
48
49# systems that have a service up. Why look for HTTP attacks if you are not
50
51# running a web server? This allows quick filtering based on IP addresses
52
53# These configurations MUST follow the same configuration scheme as defined
54
55# above for $HOME_NET.
56
57
58
59# List of DNS servers on your network
60
61var DNS_SERVERS $HOME_NET
62
63
64
65# List of SMTP servers on your network
66
67var SMTP_SERVERS $HOME_NET
68
69
70
71# List of web servers on your network
72
73var HTTP_SERVERS $HOME_NET
74
75
76
77# List of sql servers on your network
78
79var SQL_SERVERS $HOME_NET
80
81
82
83# List of telnet servers on your network
84
85var TELNET_SERVERS $HOME_NET
86
87
88
89# List of snmp servers on your network
90
91var SNMP_SERVERS $HOME_NET
92
93
94
95# Configure your service ports. This allows snort to look for attacks destined
96
97# to a specific application only on the ports that application runs on. For
98
99# example, if you run a web server on port 8081, set your HTTP_PORTS variable
100
101# like this:
102
103#
104
105# var HTTP_PORTS 8081
106
107#
108
109# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
110
111# We will adding support for a real list of ports in the future.
112
113
114
115# Ports you run web servers on
116
117#
118
119# Please note: [80,8080] does not work.
120
121# If you wish to define multiple HTTP ports,
122
123#
124
125## var HTTP_PORTS 80
126
127## include somefile.rules
128
129## var HTTP_PORTS 8080
130
131## include somefile.rules
132
133var HTTP_PORTS 80
134
135
136
137# Ports you want to look for SHELLCODE on.
138
139var SHELLCODE_PORTS !80
140
141
142
143# Ports you do oracle attacks on
144
145var ORACLE_PORTS 1521
146
147
148
149# other variables
150
151#
152
153# AIM servers. AOL has a habit of adding new AIM servers, so instead of
154
155# modifying the signatures when they do, we add them to this list of servers.
156
157var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
158
159
160
161# Path to your rules files (this can be a relative path)
162
163# Note for Windows users: You are advised to make this an absolute path,
164
165# such as: c:\snort\rules
166
167var RULE_PATH ../rules
168
169
170
171# Configure the snort decoder
172
173# ============================
174
175#
176
177# Snort's decoder will alert on lots of things such as header
178
179# truncation or options of unusual length or infrequently used tcp options
180
181#
182
183#
184
185# Stop generic decode events:
186
187#
188
189# config disable_decode_alerts
190
191#
192
193# Stop Alerts on experimental TCP options
194
195#
196
197# config disable_tcpopt_experimental_alerts
198
199#
200
201# Stop Alerts on obsolete TCP options
202
203#
204
205# config disable_tcpopt_obsolete_alerts
206
207#
208
209# Stop Alerts on T/TCP alerts
210
211#
212
213# In snort 2.0.1 and above, this only alerts when a TCP option is detected
214
215# that shows T/TCP being actively used on the network. If this is normal
216
217# behavior for your network, disable the next option.
218
219#
220
221# config disable_tcpopt_ttcp_alerts
222
223#
224
225# Stop Alerts on all other TCPOption type events:
226
227#
228
229# config disable_tcpopt_alerts
230
231#
232
233# Stop Alerts on invalid ip options
234
235#
236
237# config disable_ipopt_alerts
238
239
240
241# Configure the detection engine
242
243# ===============================
244
245#
246
247# Use a different pattern matcher in case you have a machine with very limited
248
249# resources:
250
251#
252
253# config detection: search-method lowmem
254
255
256
257###################################################
258
259# Step #2: Configure preprocessors
260
261#
262
263# General configuration for preprocessors is of
264
265# the form
266
267# preprocessor <name_of_processor>: <configuration_options>
268
269
270
271# Configure Flow tracking module
272
273# -------------------------------
274
275#
276
277# The Flow tracking module is meant to start unifying the state keeping
278
279# mechanisms of snort into a single place. Right now, only a portscan detector
280
281# is implemented but in the long term, many of the stateful subsystems of
282
283# snort will be migrated over to becoming flow plugins. This must be enabled
284
285# for flow-portscan to work correctly.
286
287#
288
289# See README.flow for additional information
290
291#
292
293preprocessor flow: stats_interval 0 hash 2
294
295
296
297# frag2: IP defragmentation support
298
299# -------------------------------
300
301# This preprocessor performs IP defragmentation. This plugin will also detect
302
303# people launching fragmentation attacks (usually DoS) against hosts. No
304
305# arguments loads the default configuration of the preprocessor, which is a 60
306
307# second timeout and a 4MB fragment buffer.
308
309
310
311# The following (comma delimited) options are available for frag2
312
313# timeout [seconds] - sets the number of [seconds] that an unfinished
314
315# fragment will be kept around waiting for completion,
316
317# if this time expires the fragment will be flushed
318
319# memcap [bytes] - limit frag2 memory usage to [number] bytes
320
321# (default: 4194304)
322
323#
324
325# min_ttl [number] - minimum ttl to accept
326
327#
328
329# ttl_limit [number] - difference of ttl to accept without alerting
330
331# will cause false positves with router flap
332
333#
334
335# Frag2 uses Generator ID 113 and uses the following SIDS
336
337# for that GID:
338
339# SID Event description
340
341# ----- -------------------
342
343# 1 Oversized fragment (reassembled frag > 64k bytes)
344
345# 2 Teardrop-type attack
346
347
348
349preprocessor frag2
350
351
352
353# stream4: stateful inspection/stream reassembly for Snort
354
355#----------------------------------------------------------------------
356
357# Use in concert with the -z [all|est] command line switch to defeat stick/snot
358
359# against TCP rules. Also performs full TCP stream reassembly, stateful
360
361# inspection of TCP streams, etc. Can statefully detect various portscan
362
363# types, fingerprinting, ECN, etc.
364
365
366
367# stateful inspection directive
368
369# no arguments loads the defaults (timeout 30, memcap 8388608)
370
371# options (options are comma delimited):
372
373# detect_scans - stream4 will detect stealth portscans and generate alerts
374
375# when it sees them when this option is set
376
377# detect_state_problems - detect TCP state problems, this tends to be very
378
379# noisy because there are a lot of crappy ip stack
380
381# implementations out there
382
383#
384
385# disable_evasion_alerts - turn off the possibly noisy mitigation of
386
387# overlapping sequences.
388
389#
390
391#
392
393# min_ttl [number] - set a minium ttl that snort will accept to
394
395# stream reassembly
396
397#
398
399# ttl_limit [number] - differential of the initial ttl on a session versus
400
401# the normal that someone may be playing games.
402
403# Routing flap may cause lots of false positives.
404
405#
406
407# keepstats [machine|binary] - keep session statistics, add "machine" to
408
409# get them in a flat format for machine reading, add
410
411# "binary" to get them in a unified binary output
412
413# format
414
415# noinspect - turn off stateful inspection only
416
417# timeout [number] - set the session timeout counter to [number] seconds,
418
419# default is 30 seconds
420
421# memcap [number] - limit stream4 memory usage to [number] bytes
422
423# log_flushed_streams - if an event is detected on a stream this option will
424
425# cause all packets that are stored in the stream4
426
427# packet buffers to be flushed to disk. This only
428
429# works when logging in pcap mode!
430
431#
432
433# Stream4 uses Generator ID 111 and uses the following SIDS
434
435# for that GID:
436
437# SID Event description
438
439# ----- -------------------
440
441# 1 Stealth activity
442
443# 2 Evasive RST packet
444
445# 3 Evasive TCP packet retransmission
446
447# 4 TCP Window violation
448
449# 5 Data on SYN packet
450
451# 6 Stealth scan: full XMAS
452
453# 7 Stealth scan: SYN-ACK-PSH-URG
454
455# 8 Stealth scan: FIN scan
456
457# 9 Stealth scan: NULL scan
458
459# 10 Stealth scan: NMAP XMAS scan
460
461# 11 Stealth scan: Vecna scan
462
463# 12 Stealth scan: NMAP fingerprint scan stateful detect
464
465# 13 Stealth scan: SYN-FIN scan
466
467# 14 TCP forward overlap
468
469
470
471preprocessor stream4: disable_evasion_alerts
472
473
474
475# tcp stream reassembly directive
476
477# no arguments loads the default configuration
478
479# Only reassemble the client,
480
481# Only reassemble the default list of ports (See below),
482
483# Give alerts for "bad" streams
484
485#
486
487# Available options (comma delimited):
488
489# clientonly - reassemble traffic for the client side of a connection only
490
491# serveronly - reassemble traffic for the server side of a connection only
492
493# both - reassemble both sides of a session
494
495# noalerts - turn off alerts from the stream reassembly stage of stream4
496
497# ports [list] - use the space separated list of ports in [list], "all"
498
499# will turn on reassembly for all ports, "default" will turn
500
501# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
502
503# and 513
504
505
506
507preprocessor stream4_reassemble
508
509
510
511# http_inspect: normalize and detect HTTP traffic and protocol anomalies
512
513#
514
515# lots of options available here. See doc/README.http_inspect.
516
517# unicode.map should be wherever your snort.conf lives, or given
518
519# a full path to where snort can find it.
520
521preprocessor http_inspect: global \
522
523iis_unicode_map unicode.map 1252
524
525
526
527preprocessor http_inspect_server: server default \
528
529profile all ports { 80 8080 8180 } oversize_dir_length 500
530
531
532
533#
534
535# Example unqiue server configuration
536
537#
538
539#preprocessor http_inspect_server: server 1.1.1.1 \
540
541# ports { 80 3128 8080 } \
542
543# flow_depth 0 \
544
545# ascii no \
546
547# double_decode yes \
548
549# non_rfc_char { 0x00 } \
550
551# chunk_length 500000 \
552
553# non_strict \
554
555# oversize_dir_length 300 \
556
557# no_alerts
558
559
560
561
562
563# rpc_decode: normalize RPC traffic
564
565# ---------------------------------
566
567# RPC may be sent in alternate encodings besides the usual 4-byte encoding
568
569# that is used by default. This plugin takes the port numbers that RPC
570
571# services are running on as arguments - it is assumed that the given ports
572
573# are actually running this type of service. If not, change the ports or turn
574
575# it off.
576
577# The RPC decode preprocessor uses generator ID 106
578
579#
580
581# arguments: space separated list
582
583# alert_fragments - alert on any rpc fragmented TCP data
584
585# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
586
587# no_alert_large_fragments - don't alert when the fragmented
588
589# sizes exceed the current packet size
590
591# no_alert_incomplete - don't alert when a single segment
592
593# exceeds the current packet size
594
595
596
597preprocessor rpc_decode: 111 32771
598
599
600
601# bo: Back Orifice detector
602
603# -------------------------
604
605# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
606
607#
608
609# The Back Orifice detector uses Generator ID 105 and uses the
610
611# following SIDS for that GID:
612
613# SID Event description
614
615# ----- -------------------
616
617# 1 Back Orifice traffic detected
618
619
620
621preprocessor bo
622
623
624
625# telnet_decode: Telnet negotiation string normalizer
626
627# ---------------------------------------------------
628
629# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
630
631# traffic. It works in much the same way as the http_decode preprocessor,
632
633# searching for traffic that breaks up the normal data stream of a protocol and
634
635# replacing it with a normalized representation of that traffic so that the
636
637# "content" pattern matching keyword can work without requiring modifications.
638
639# This preprocessor requires no arguments.
640
641# Portscan uses Generator ID 109 and does not generate any SID currently.
642
643
644
645preprocessor telnet_decode
646
647
648
649# Flow-Portscan: detect a variety of portscans
650
651# ---------------------------------------
652
653# Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to
654
655# work.
656
657#
658
659# This module detects portscans based off of flow creation in the flow
660
661# preprocessors. The goal is to catch one->many hosts and one->many
662
663# ports scans.
664
665#
666
667# Flow-Portscan has numerous options available, please read
668
669# README.flow-portscan for help configuring this option.
670
671
672
673# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
674
675# SID Event description
676
677# ----- -------------------
678
679# 1 flow-portscan: Fixed Scale Scanner Limit Exceeded
680
681# 2 flow-portscan: Sliding Scale Scanner Limit Exceeded
682
683# 3 flow-portscan: Fixed Scale Talker Limit Exceeded
684
685# 4 flow-portscan: Sliding Scale Talker Limit Exceeded
686
687
688
689# preprocessor flow-portscan: \
690
691# talker-sliding-scale-factor 0.50 \
692
693# talker-fixed-threshold 30 \
694
695# talker-sliding-threshold 30 \
696
697# talker-sliding-window 20 \
698
699# talker-fixed-window 30 \
700
701# scoreboard-rows-talker 30000 \
702
703# server-watchnet [10.2.0.0/30] \
704
705# server-ignore-limit 200 \
706
707# server-rows 65535 \
708
709# server-learning-time 14400 \
710
711# server-scanner-limit 4 \
712
713# scanner-sliding-window 20 \
714
715# scanner-sliding-scale-factor 0.50 \
716
717# scanner-fixed-threshold 15 \
718
719# scanner-sliding-threshold 40 \
720
721# scanner-fixed-window 15 \
722
723# scoreboard-rows-scanner 30000 \
724
725# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
726
727# dst-ignore-net [10.0.0.0/30] \
728
729# alert-mode once \
730
731# output-mode msg \
732
733# tcp-penalties on
734
735
736
737# arpspoof
738
739#----------------------------------------
740
741# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
742
743# unicast ARP requests, and specific ARP mapping monitoring. To make use of
744
745# this preprocessor you must specify the IP and hardware address of hosts on
746
747# the same layer 2 segment as you. Specify one host IP MAC combo per line.
748
749# Also takes a "-unicast" option to turn on unicast ARP request detection.
750
751# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
752
753
754
755# SID Event description
756
757# ----- -------------------
758
759# 1 Unicast ARP request
760
761# 2 Etherframe ARP mismatch (src)
762
763# 3 Etherframe ARP mismatch (dst)
764
765# 4 ARP cache overwrite attack
766
767
768
769#preprocessor arpspoof
770
771#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
772
773
774
775
776
777# Performance Statistics
778
779# ----------------------
780
781# Documentation for this is provided in the Snort Manual. You should read it.
782
783# It is included in the release distribution as doc/snort_manual.pdf
784
785#
786
787# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
788
789
790
791####################################################################
792
793# Step #3: Configure output plugins
794
795#
796
797# Uncomment and configure the output plugins you decide to use. General
798
799# configuration for output plugins is of the form:
800
801#
802
803# output <name_of_plugin>: <configuration_options>
804
805#
806
807# alert_syslog: log alerts to syslog
808
809# ----------------------------------
810
811# Use one or more syslog facilities as arguments. Win32 can also optionally
812
813# specify a particular hostname/port. Under Win32, the default hostname is
814
815# '127.0.0.1', and the default port is 514.
816
817#
818
819# [Unix flavours should use this format...]
820
821# output alert_syslog: LOG_AUTH LOG_ALERT
822
823#
824
825# [Win32 can use any of these formats...]
826
827# output alert_syslog: LOG_AUTH LOG_ALERT
828
829# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
830
831# output alert_syslog: host=hostname  ort, LOG_AUTH LOG_ALERT
832
833
834
835# log_tcpdump: log packets in binary tcpdump format
836
837# -------------------------------------------------
838
839# The only argument is the output file name.
840
841#
842
843# output log_tcpdump: tcpdump.log
844
845
846
847# database: log to a variety of databases
848
849# ---------------------------------------
850
851# See the README.database file for more information about configuring
852
853# and using this plugin.
854
855#
856
857# output database: log, mysql, user=root password=test dbname=db host=localhost
858
859# output database: alert, postgresql, user=snort dbname=snort
860
861# output database: log, odbc, user=snort dbname=snort
862
863# output database: log, mssql, dbname=snort user=snort password=test
864
865# output database: log, oracle, dbname=snort user=snort password=test
866
867
868
869# unified: Snort unified binary format alerting and lo</configuration_options></name_of_plugin></configuration_options></name_of_processor></interfacename></interfacename>