On Monday 23 June 2008 13:07, Alex wrote:
> On Monday 23 June 2008 12:33, Alex wrote:
> > Hello all,
> >
> > Doresc sa pun un senzor care sa monitorizeze traficul din lan
> > (dezvoltatorii nostrii fac diverse teste care in unele situatii afecteaza
> > reteaua). Pentru asta am pus un snort-2.8.2.1 compilat cu suport de mysql
> > pe masina mea. Problema este ca nu logeaza deloc traficul icmp (vad ca pe
> > tcp si udp da alerte, dar pe icmp nu logeaza absolut nimic). Cum fac sa-i
> > spun sa activeze/logeze si alertele pentru icmp?
> >
> > Am verificat asta cu un ping -f de pe o statie din lan catre statia care
> > are snortul instalat, dar nimic.
Hai sa intreb altfel, ca poate asa ajung totusi la o concluzie:
In prezent, snort-ul logeaza si produce alerte UDP, desi
in /etc/snort/snort.conf tot ce tine de suportul UDP "pare" ca este
dezactivat (configurarea default)!!!
Cind pornesc snort-ul, vad in terminal:
[EMAIL PROTECTED] ~]# snort -c /etc/snort/snort.conf
...
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Track ICMP sessions: INACTIVE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
...
In snort.conf, singurele legaturi cu protocolul UDP sunt legate de stream5
(dezactivat pe UDP - vezi logul de mai sus) si sfportscan.
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
si
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
Daca suportul UDP este dezactivat, atunci care este totusi linia din
snort.conf care genereaza evenimente UDP, ca eu nu ma prind din documentatia
lor, cum rezulta alertele de mai jos si nici nu sunt convins ca sunt generate
de match-ul cu preprocesorul sfportscan.
MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
255.255.255.255:1434 UDP
sau
MISC UPnP malformed advertisement 2008-06-23 16:21:10 169.254.209.225:1900
239.255.255.250:1900 UDP
Regards,
Alx
PS: Intregul fisierul de configurare arata astfel:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
dynamicpreprocessor directory /usr/lib/snort-2.8.2.1_dynamicpreprocessor/
dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
