snort 抓包问题:

由 eTony 在 08-29-2004 00:36 发表:

snort 抓包问题:

请教 snort 问题:

我的机器上有两块网卡, 一个连内网, 一个连外网, 现在snort 只抓 内网接口的数据, 我修改了home_net还是如此, 请教哪里出现了问题??


Seeking Freedom,pure Freedom!

http://211.92.88.40/~tony/

http://etony.blogone.net/


由 eTony 在 08-29-2004 20:37 发表:


难道没有人遇到这种问题吗?


Seeking Freedom,pure Freedom!

http://211.92.88.40/~tony/

http://etony.blogone.net/


由 Snoopy 在 08-29-2004 20:39 发表:


地址为0.0.0.0是否可以 ?


And then in the evening light, when the bars of freedom fall

I watch the two of you in the shadows on the wall

How in the darkness steals some of the choices from my hand

Then will I begin to under


由 smile787 在 08-29-2004 23:07 发表:


监听网卡设置如何?模式打开了吗?


由 eTony 在 08-30-2004 07:28 发表:


> quote: > > * * * > > 最初由 smile787 发表
>
> 监听网卡设置如何?模式打开了吗? > > * * *

#--------------------------------------------------

http://www.snort.org Snort 2.1.0 Ruleset

Contact: [email protected]

#--------------------------------------------------

$Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $

###################################################

This file contains a sample snort configuration.

You can take the following steps to create your own custom configuration:

1) Set the network variables for your network

2) Configure preprocessors

3) Configure output plugins

4) Customize your rule set

###################################################

Step #1: Set the network variables:

You must change the following variables to reflect your local network. The

variable is currently setup for an RFC 1918 address space.

You can specify it explicitly as:

var HOME_NET 10.1.1.0/24

or use global variable $

  1<interfacename>_ADDRESS which will be always   
  2  
  3# initialized to IP address and netmask of the network interface which you run   
  4  
  5# snort at. Under Windows, this must be specified as   
  6  
  7# $(<interfacename>_ADDRESS), such as:   
  8  
  9# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)   
 10  
 11#   
 12  
 13# var HOME_NET $eth0_ADDRESS   
 14  
 15#   
 16  
 17# You can specify lists of IP addresses for HOME_NET   
 18  
 19# by separating the IPs with commas like this:   
 20  
 21#   
 22  
 23# var HOME_NET [10.1.1.0/24,192.168.1.0/24]   
 24  
 25#   
 26  
 27# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!   
 28  
 29#   
 30  
 31# or you can specify the variable to be any IP address   
 32  
 33# like this:   
 34  
 35  
 36  
 37var HOME_NET any   
 38  
 39  
 40  
 41# Set up the external network addresses as well. A good start may be "any"   
 42  
 43var EXTERNAL_NET any   
 44  
 45  
 46  
 47# Configure your server lists. This allows snort to only look for attacks to   
 48  
 49# systems that have a service up. Why look for HTTP attacks if you are not   
 50  
 51# running a web server? This allows quick filtering based on IP addresses   
 52  
 53# These configurations MUST follow the same configuration scheme as defined   
 54  
 55# above for $HOME_NET.   
 56  
 57  
 58  
 59# List of DNS servers on your network   
 60  
 61var DNS_SERVERS $HOME_NET   
 62  
 63  
 64  
 65# List of SMTP servers on your network   
 66  
 67var SMTP_SERVERS $HOME_NET   
 68  
 69  
 70  
 71# List of web servers on your network   
 72  
 73var HTTP_SERVERS $HOME_NET   
 74  
 75  
 76  
 77# List of sql servers on your network   
 78  
 79var SQL_SERVERS $HOME_NET   
 80  
 81  
 82  
 83# List of telnet servers on your network   
 84  
 85var TELNET_SERVERS $HOME_NET   
 86  
 87  
 88  
 89# List of snmp servers on your network   
 90  
 91var SNMP_SERVERS $HOME_NET   
 92  
 93  
 94  
 95# Configure your service ports. This allows snort to look for attacks destined   
 96  
 97# to a specific application only on the ports that application runs on. For   
 98  
 99# example, if you run a web server on port 8081, set your HTTP_PORTS variable   
100  
101# like this:   
102  
103#   
104  
105# var HTTP_PORTS 8081   
106  
107#   
108  
109# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].   
110  
111# We will adding support for a real list of ports in the future.   
112  
113  
114  
115# Ports you run web servers on   
116  
117#   
118  
119# Please note: [80,8080] does not work.   
120  
121# If you wish to define multiple HTTP ports,   
122  
123#   
124  
125## var HTTP_PORTS 80   
126  
127## include somefile.rules   
128  
129## var HTTP_PORTS 8080   
130  
131## include somefile.rules   
132  
133var HTTP_PORTS 80   
134  
135  
136  
137# Ports you want to look for SHELLCODE on.   
138  
139var SHELLCODE_PORTS !80   
140  
141  
142  
143# Ports you do oracle attacks on   
144  
145var ORACLE_PORTS 1521   
146  
147  
148  
149# other variables   
150  
151#   
152  
153# AIM servers. AOL has a habit of adding new AIM servers, so instead of   
154  
155# modifying the signatures when they do, we add them to this list of servers.   
156  
157var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]   
158  
159  
160  
161# Path to your rules files (this can be a relative path)   
162  
163# Note for Windows users: You are advised to make this an absolute path,   
164  
165# such as: c:\snort\rules   
166  
167var RULE_PATH ../rules   
168  
169  
170  
171# Configure the snort decoder   
172  
173# ============================   
174  
175#   
176  
177# Snort's decoder will alert on lots of things such as header   
178  
179# truncation or options of unusual length or infrequently used tcp options   
180  
181#   
182  
183#   
184  
185# Stop generic decode events:   
186  
187#   
188  
189# config disable_decode_alerts   
190  
191#   
192  
193# Stop Alerts on experimental TCP options   
194  
195#   
196  
197# config disable_tcpopt_experimental_alerts   
198  
199#   
200  
201# Stop Alerts on obsolete TCP options   
202  
203#   
204  
205# config disable_tcpopt_obsolete_alerts   
206  
207#   
208  
209# Stop Alerts on T/TCP alerts   
210  
211#   
212  
213# In snort 2.0.1 and above, this only alerts when a TCP option is detected   
214  
215# that shows T/TCP being actively used on the network. If this is normal   
216  
217# behavior for your network, disable the next option.   
218  
219#   
220  
221# config disable_tcpopt_ttcp_alerts   
222  
223#   
224  
225# Stop Alerts on all other TCPOption type events:   
226  
227#   
228  
229# config disable_tcpopt_alerts   
230  
231#   
232  
233# Stop Alerts on invalid ip options   
234  
235#   
236  
237# config disable_ipopt_alerts   
238  
239  
240  
241# Configure the detection engine   
242  
243# ===============================   
244  
245#   
246  
247# Use a different pattern matcher in case you have a machine with very limited   
248  
249# resources:   
250  
251#   
252  
253# config detection: search-method lowmem   
254  
255  
256  
257###################################################   
258  
259# Step #2: Configure preprocessors   
260  
261#   
262  
263# General configuration for preprocessors is of   
264  
265# the form   
266  
267# preprocessor <name_of_processor>: <configuration_options>   
268  
269  
270  
271# Configure Flow tracking module   
272  
273# -------------------------------   
274  
275#   
276  
277# The Flow tracking module is meant to start unifying the state keeping   
278  
279# mechanisms of snort into a single place. Right now, only a portscan detector   
280  
281# is implemented but in the long term, many of the stateful subsystems of   
282  
283# snort will be migrated over to becoming flow plugins. This must be enabled   
284  
285# for flow-portscan to work correctly.   
286  
287#   
288  
289# See README.flow for additional information   
290  
291#   
292  
293preprocessor flow: stats_interval 0 hash 2   
294  
295  
296  
297# frag2: IP defragmentation support   
298  
299# -------------------------------   
300  
301# This preprocessor performs IP defragmentation. This plugin will also detect   
302  
303# people launching fragmentation attacks (usually DoS) against hosts. No   
304  
305# arguments loads the default configuration of the preprocessor, which is a 60   
306  
307# second timeout and a 4MB fragment buffer.   
308  
309  
310  
311# The following (comma delimited) options are available for frag2   
312  
313# timeout [seconds] - sets the number of [seconds] that an unfinished   
314  
315# fragment will be kept around waiting for completion,   
316  
317# if this time expires the fragment will be flushed   
318  
319# memcap [bytes] - limit frag2 memory usage to [number] bytes   
320  
321# (default: 4194304)   
322  
323#   
324  
325# min_ttl [number] - minimum ttl to accept   
326  
327#   
328  
329# ttl_limit [number] - difference of ttl to accept without alerting   
330  
331# will cause false positves with router flap   
332  
333#   
334  
335# Frag2 uses Generator ID 113 and uses the following SIDS   
336  
337# for that GID:   
338  
339# SID Event description   
340  
341# ----- -------------------   
342  
343# 1 Oversized fragment (reassembled frag &gt; 64k bytes)   
344  
345# 2 Teardrop-type attack   
346  
347  
348  
349preprocessor frag2   
350  
351  
352  
353# stream4: stateful inspection/stream reassembly for Snort   
354  
355#----------------------------------------------------------------------   
356  
357# Use in concert with the -z [all|est] command line switch to defeat stick/snot   
358  
359# against TCP rules. Also performs full TCP stream reassembly, stateful   
360  
361# inspection of TCP streams, etc. Can statefully detect various portscan   
362  
363# types, fingerprinting, ECN, etc.   
364  
365  
366  
367# stateful inspection directive   
368  
369# no arguments loads the defaults (timeout 30, memcap 8388608)   
370  
371# options (options are comma delimited):   
372  
373# detect_scans - stream4 will detect stealth portscans and generate alerts   
374  
375# when it sees them when this option is set   
376  
377# detect_state_problems - detect TCP state problems, this tends to be very   
378  
379# noisy because there are a lot of crappy ip stack   
380  
381# implementations out there   
382  
383#   
384  
385# disable_evasion_alerts - turn off the possibly noisy mitigation of   
386  
387# overlapping sequences.   
388  
389#   
390  
391#   
392  
393# min_ttl [number] - set a minium ttl that snort will accept to   
394  
395# stream reassembly   
396  
397#   
398  
399# ttl_limit [number] - differential of the initial ttl on a session versus   
400  
401# the normal that someone may be playing games.   
402  
403# Routing flap may cause lots of false positives.   
404  
405#   
406  
407# keepstats [machine|binary] - keep session statistics, add "machine" to   
408  
409# get them in a flat format for machine reading, add   
410  
411# "binary" to get them in a unified binary output   
412  
413# format   
414  
415# noinspect - turn off stateful inspection only   
416  
417# timeout [number] - set the session timeout counter to [number] seconds,   
418  
419# default is 30 seconds   
420  
421# memcap [number] - limit stream4 memory usage to [number] bytes   
422  
423# log_flushed_streams - if an event is detected on a stream this option will   
424  
425# cause all packets that are stored in the stream4   
426  
427# packet buffers to be flushed to disk. This only   
428  
429# works when logging in pcap mode!   
430  
431#   
432  
433# Stream4 uses Generator ID 111 and uses the following SIDS   
434  
435# for that GID:   
436  
437# SID Event description   
438  
439# ----- -------------------   
440  
441# 1 Stealth activity   
442  
443# 2 Evasive RST packet   
444  
445# 3 Evasive TCP packet retransmission   
446  
447# 4 TCP Window violation   
448  
449# 5 Data on SYN packet   
450  
451# 6 Stealth scan: full XMAS   
452  
453# 7 Stealth scan: SYN-ACK-PSH-URG   
454  
455# 8 Stealth scan: FIN scan   
456  
457# 9 Stealth scan: NULL scan   
458  
459# 10 Stealth scan: NMAP XMAS scan   
460  
461# 11 Stealth scan: Vecna scan   
462  
463# 12 Stealth scan: NMAP fingerprint scan stateful detect   
464  
465# 13 Stealth scan: SYN-FIN scan   
466  
467# 14 TCP forward overlap   
468  
469  
470  
471preprocessor stream4: disable_evasion_alerts   
472  
473  
474  
475# tcp stream reassembly directive   
476  
477# no arguments loads the default configuration   
478  
479# Only reassemble the client,   
480  
481# Only reassemble the default list of ports (See below),   
482  
483# Give alerts for "bad" streams   
484  
485#   
486  
487# Available options (comma delimited):   
488  
489# clientonly - reassemble traffic for the client side of a connection only   
490  
491# serveronly - reassemble traffic for the server side of a connection only   
492  
493# both - reassemble both sides of a session   
494  
495# noalerts - turn off alerts from the stream reassembly stage of stream4   
496  
497# ports [list] - use the space separated list of ports in [list], "all"   
498  
499# will turn on reassembly for all ports, "default" will turn   
500  
501# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111   
502  
503# and 513   
504  
505  
506  
507preprocessor stream4_reassemble   
508  
509  
510  
511# http_inspect: normalize and detect HTTP traffic and protocol anomalies   
512  
513#   
514  
515# lots of options available here. See doc/README.http_inspect.   
516  
517# unicode.map should be wherever your snort.conf lives, or given   
518  
519# a full path to where snort can find it.   
520  
521preprocessor http_inspect: global \   
522  
523iis_unicode_map unicode.map 1252   
524  
525  
526  
527preprocessor http_inspect_server: server default \   
528  
529profile all ports { 80 8080 8180 } oversize_dir_length 500   
530  
531  
532  
533#   
534  
535# Example unqiue server configuration   
536  
537#   
538  
539#preprocessor http_inspect_server: server 1.1.1.1 \   
540  
541# ports { 80 3128 8080 } \   
542  
543# flow_depth 0 \   
544  
545# ascii no \   
546  
547# double_decode yes \   
548  
549# non_rfc_char { 0x00 } \   
550  
551# chunk_length 500000 \   
552  
553# non_strict \   
554  
555# oversize_dir_length 300 \   
556  
557# no_alerts   
558  
559  
560  
561  
562  
563# rpc_decode: normalize RPC traffic   
564  
565# ---------------------------------   
566  
567# RPC may be sent in alternate encodings besides the usual 4-byte encoding   
568  
569# that is used by default. This plugin takes the port numbers that RPC   
570  
571# services are running on as arguments - it is assumed that the given ports   
572  
573# are actually running this type of service. If not, change the ports or turn   
574  
575# it off.   
576  
577# The RPC decode preprocessor uses generator ID 106   
578  
579#   
580  
581# arguments: space separated list   
582  
583# alert_fragments - alert on any rpc fragmented TCP data   
584  
585# no_alert_multiple_requests - don't alert when &gt;1 rpc query is in a packet   
586  
587# no_alert_large_fragments - don't alert when the fragmented   
588  
589# sizes exceed the current packet size   
590  
591# no_alert_incomplete - don't alert when a single segment   
592  
593# exceeds the current packet size   
594  
595  
596  
597preprocessor rpc_decode: 111 32771   
598  
599  
600  
601# bo: Back Orifice detector   
602  
603# -------------------------   
604  
605# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.   
606  
607#   
608  
609# The Back Orifice detector uses Generator ID 105 and uses the   
610  
611# following SIDS for that GID:   
612  
613# SID Event description   
614  
615# ----- -------------------   
616  
617# 1 Back Orifice traffic detected   
618  
619  
620  
621preprocessor bo   
622  
623  
624  
625# telnet_decode: Telnet negotiation string normalizer   
626  
627# ---------------------------------------------------   
628  
629# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp   
630  
631# traffic. It works in much the same way as the http_decode preprocessor,   
632  
633# searching for traffic that breaks up the normal data stream of a protocol and   
634  
635# replacing it with a normalized representation of that traffic so that the   
636  
637# "content" pattern matching keyword can work without requiring modifications.   
638  
639# This preprocessor requires no arguments.   
640  
641# Portscan uses Generator ID 109 and does not generate any SID currently.   
642  
643  
644  
645preprocessor telnet_decode   
646  
647  
648  
649# Flow-Portscan: detect a variety of portscans   
650  
651# ---------------------------------------   
652  
653# Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to   
654  
655# work.   
656  
657#   
658  
659# This module detects portscans based off of flow creation in the flow   
660  
661# preprocessors. The goal is to catch one-&gt;many hosts and one-&gt;many   
662  
663# ports scans.   
664  
665#   
666  
667# Flow-Portscan has numerous options available, please read   
668  
669# README.flow-portscan for help configuring this option.   
670  
671  
672  
673# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:   
674  
675# SID Event description   
676  
677# ----- -------------------   
678  
679# 1 flow-portscan: Fixed Scale Scanner Limit Exceeded   
680  
681# 2 flow-portscan: Sliding Scale Scanner Limit Exceeded   
682  
683# 3 flow-portscan: Fixed Scale Talker Limit Exceeded   
684  
685# 4 flow-portscan: Sliding Scale Talker Limit Exceeded   
686  
687  
688  
689# preprocessor flow-portscan: \   
690  
691# talker-sliding-scale-factor 0.50 \   
692  
693# talker-fixed-threshold 30 \   
694  
695# talker-sliding-threshold 30 \   
696  
697# talker-sliding-window 20 \   
698  
699# talker-fixed-window 30 \   
700  
701# scoreboard-rows-talker 30000 \   
702  
703# server-watchnet [10.2.0.0/30] \   
704  
705# server-ignore-limit 200 \   
706  
707# server-rows 65535 \   
708  
709# server-learning-time 14400 \   
710  
711# server-scanner-limit 4 \   
712  
713# scanner-sliding-window 20 \   
714  
715# scanner-sliding-scale-factor 0.50 \   
716  
717# scanner-fixed-threshold 15 \   
718  
719# scanner-sliding-threshold 40 \   
720  
721# scanner-fixed-window 15 \   
722  
723# scoreboard-rows-scanner 30000 \   
724  
725# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \   
726  
727# dst-ignore-net [10.0.0.0/30] \   
728  
729# alert-mode once \   
730  
731# output-mode msg \   
732  
733# tcp-penalties on   
734  
735  
736  
737# arpspoof   
738  
739#----------------------------------------   
740  
741# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,   
742  
743# unicast ARP requests, and specific ARP mapping monitoring. To make use of   
744  
745# this preprocessor you must specify the IP and hardware address of hosts on   
746  
747# the same layer 2 segment as you. Specify one host IP MAC combo per line.   
748  
749# Also takes a "-unicast" option to turn on unicast ARP request detection.   
750  
751# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:   
752  
753  
754  
755# SID Event description   
756  
757# ----- -------------------   
758  
759# 1 Unicast ARP request   
760  
761# 2 Etherframe ARP mismatch (src)   
762  
763# 3 Etherframe ARP mismatch (dst)   
764  
765# 4 ARP cache overwrite attack   
766  
767  
768  
769#preprocessor arpspoof   
770  
771#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00   
772  
773  
774  
775  
776  
777# Performance Statistics   
778  
779# ----------------------   
780  
781# Documentation for this is provided in the Snort Manual. You should read it.   
782  
783# It is included in the release distribution as doc/snort_manual.pdf   
784  
785#   
786  
787# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000   
788  
789  
790  
791####################################################################   
792  
793# Step #3: Configure output plugins   
794  
795#   
796  
797# Uncomment and configure the output plugins you decide to use. General   
798  
799# configuration for output plugins is of the form:   
800  
801#   
802  
803# output <name_of_plugin>: <configuration_options>   
804  
805#   
806  
807# alert_syslog: log alerts to syslog   
808  
809# ----------------------------------   
810  
811# Use one or more syslog facilities as arguments. Win32 can also optionally   
812  
813# specify a particular hostname/port. Under Win32, the default hostname is   
814  
815# '127.0.0.1', and the default port is 514.   
816  
817#   
818  
819# [Unix flavours should use this format...]   
820  
821# output alert_syslog: LOG_AUTH LOG_ALERT   
822  
823#   
824  
825# [Win32 can use any of these formats...]   
826  
827# output alert_syslog: LOG_AUTH LOG_ALERT   
828  
829# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT   
830  
831# output alert_syslog: host=hostname ![](http://linuxsir.zahui.net/html/11/images/smilies/tongue.gif) ort, LOG_AUTH LOG_ALERT   
832  
833  
834  
835# log_tcpdump: log packets in binary tcpdump format   
836  
837# -------------------------------------------------   
838  
839# The only argument is the output file name.   
840  
841#   
842  
843# output log_tcpdump: tcpdump.log   
844  
845  
846  
847# database: log to a variety of databases   
848  
849# ---------------------------------------   
850  
851# See the README.database file for more information about configuring   
852  
853# and using this plugin.   
854  
855#   
856  
857# output database: log, mysql, user=root password=test dbname=db host=localhost   
858  
859# output database: alert, postgresql, user=snort dbname=snort   
860  
861# output database: log, odbc, user=snort dbname=snort   
862  
863# output database: log, mssql, dbname=snort user=snort password=test   
864  
865# output database: log, oracle, dbname=snort user=snort password=test   
866  
867  
868  
869# unified: Snort unified binary format alerting and lo</configuration_options></name_of_plugin></configuration_options></name_of_processor></interfacename></interfacename>
Published At
Categories with 服务器类
Tagged with
comments powered by Disqus