nimiux 14/04/11 18:54:19 Modified: shb-intrusion.xml Log: Fix bug #507220 - Update snort to reflect reality (examples no longer work)
Revision Changes Path 1.5 xml/htdocs/doc/es/security/shb-intrusion.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/es/security/shb-intrusion.xml?rev=1.5&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/es/security/shb-intrusion.xml?rev=1.5&content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/es/security/shb-intrusion.xml?r1=1.4&r2=1.5 Index: shb-intrusion.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/es/security/shb-intrusion.xml,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- shb-intrusion.xml 27 Jul 2010 14:38:39 -0000 1.4 +++ shb-intrusion.xml 11 Apr 2014 18:54:19 -0000 1.5 @@ -1,5 +1,5 @@ <?xml version='1.0' encoding='UTF-8'?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/es/security/shb-intrusion.xml,v 1.4 2010/07/27 14:38:39 chiguire Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/es/security/shb-intrusion.xml,v 1.5 2014/04/11 18:54:19 nimiux Exp $ --> <!DOCTYPE sections SYSTEM "/dtd/book.dtd"> <!-- The content of this document is licensed under the CC-BY-SA license --> @@ -7,8 +7,8 @@ <sections> -<version>2</version> -<date>2010-07-19</date> +<version>3</version> +<date>2014-04-09</date> <section> <title>AIDE (Entorno Avanzado de Detección de Intrusos)</title> @@ -17,7 +17,7 @@ <p> AIDE es un sistema de detección de intrusos basado en host (HIDS, Host-Based Intrusion Detection System), una alternativa libre a -Tripwire (si usted ya conoce Tripwire no debería tener dificultades +Tripwire (si ya conoce Tripwire no debería tener dificultades para aprender a configurar AIDE). Los HIDS se usan para detectar cambios en los ficheros de configuración y binarios importantes, generalmente generando un resumen cifrado ("hash") único de @@ -239,11 +239,11 @@ </p> <pre caption="/etc/aide/aide.conf"> -@@ifndef TOPDIR +@@ifndef TOPDIR @@define TOPDIR / @@endif -@@ifndef AIDEDIR +@@ifndef AIDEDIR @@define AIDEDIR /etc/aide @@endif @@ -354,101 +354,19 @@ SNORT_OPTS="-D -s -u snort -dev -l $LOGDIR -h $NETWORK -c $CONF" </pre> +<p> +Copie <path>/etc/snort/snort.conf.distrib</path> a +<path>/etc/snort/snort.conf</path>. +</p> + <pre caption="/etc/snort/snort.conf"> -<comment>(Step 1)</comment> -var HOME_NET 10.0.0.0/24 -var EXTERNAL_NET any -var SMTP $HOME_NET -var HTTP_SERVERS $HOME_NET -var SQL_SERVERS $HOME_NET -var DNS_SERVERS [10.0.0.2/32,212.242.40.51/32] -var RULE_PATH ./ - -<comment>(Step 2)</comment> -preprocessor frag2 -preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts -preprocessor stream4_reassemble: ports all -preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace -preprocessor rpc_decode: 111 32771 -preprocessor bo: -nobrute -preprocessor telnet_decode - -<comment>(Step 3)</comment> -include classification.config - -<comment>(Step 4)</comment> -include $RULE_PATH/bad-traffic.rules -include $RULE_PATH/exploit.rules -include $RULE_PATH/scan.rules -include $RULE_PATH/finger.rules -include $RULE_PATH/ftp.rules -include $RULE_PATH/telnet.rules -include $RULE_PATH/smtp.rules -include $RULE_PATH/rpc.rules -include $RULE_PATH/rservices.rules -include $RULE_PATH/dos.rules -include $RULE_PATH/ddos.rules -include $RULE_PATH/dns.rules -include $RULE_PATH/tftp.rules -include $RULE_PATH/web-cgi.rules -include $RULE_PATH/web-coldfusion.rules -include $RULE_PATH/web-iis.rules -include $RULE_PATH/web-frontpage.rules -include $RULE_PATH/web-misc.rules -include $RULE_PATH/web-attacks.rules -include $RULE_PATH/sql.rules -include $RULE_PATH/x11.rules -include $RULE_PATH/icmp.rules -include $RULE_PATH/netbios.rules -include $RULE_PATH/misc.rules -include $RULE_PATH/attack-responses.rules -include $RULE_PATH/backdoor.rules -include $RULE_PATH/shellcode.rules -include $RULE_PATH/policy.rules -include $RULE_PATH/porn.rules -include $RULE_PATH/info.rules -include $RULE_PATH/icmp-info.rules -include $RULE_PATH/virus.rules -# include $RULE_PATH/experimental.rules -include $RULE_PATH/local.rules +~# <i>cd /etc/snort && cp snort.conf.distrib snort.conf</i> </pre> -<pre caption="/etc/snort/classification.config"> -config classification: not-suspicious,Not Suspicious Traffic,3 -config classification: unknown,Unknown Traffic,3 -config classification: bad-unknown,Potentially Bad Traffic, 2 -config classification: attempted-recon,Attempted Information Leak,2 -config classification: successful-recon-limited,Information Leak,2 -config classification: successful-recon-largescale,Large Scale Information Leak,2 -config classification: attempted-dos,Attempted Denial of Service,2 -config classification: successful-dos,Denial of Service,2 -config classification: attempted-user,Attempted User Privilege Gain,1 -config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 -config classification: successful-user,Successful User Privilege Gain,1 -config classification: attempted-admin,Attempted Administrator Privilege Gain,1 -config classification: successful-admin,Successful Administrator Privilege Gain,1 - -# NEW CLASSIFICATIONS -config classification: rpc-portmap-decode,Decode of an RPC Query,2 -config classification: shellcode-detect,Executable code was detected,1 -config classification: string-detect,A suspicious string was detected,3 -config classification: suspicious-filename-detect,A suspicious filename was detected,2 -config classification: suspicious-login,An attempted login using a suspicious username was detected,2 -config classification: system-call-detect,A system call was detected,2 -config classification: tcp-connection,A TCP connection was detected,4 -config classification: trojan-activity,A Network Trojan was detected, 1 -config classification: unusual-client-port-connection,A client was using an unusual port,2 -config classification: network-scan,Detection of a Network Scan,3 -config classification: denial-of-service,Detection of a Denial of Service Attack,2 -config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 -config classification: protocol-command-decode,Generic Protocol Command Decode,3 -config classification: web-application-activity,access to a potentially vulnerable web application,2 -config classification: web-application-attack,Web Application Attack,1 -config classification: misc-activity,Misc activity,3 -config classification: misc-attack,Misc Attack,2 -config classification: icmp-event,Generic ICMP event,3 -config classification: kickass-porn,SCORE! Get the lotion!,1 -</pre> +<p> +Puede que necesite comentar las entradas en las listas blancas y negras +si no se creó ninguna lista. +</p> <p> Más información en el sitio web de <uri link="http://www.snort.org";>Snort</uri>.
