Snort 2.7.0 não reconhece varredura nmap
Olá pessoal,
Estou configurando o Snort para um trabalho acadêmico. Com base no arquivo exemplo montei a configuração a abaixo, porém qdo executo o programa, não está sendo reconhecida a varredura do namp, além de estar muito lento.
Alguém pode me ajudar a ajustar estas regras?
Desde já muito obrigado.
#--------------------------------------------------
# http://www.snort.org Snort 2.7.0 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
# Step #1: Set the network variables:
# var HOME_NET $eth0_ADDRESS
#var rede interna
var HOME_NET 10.1.1.0/24
# var. rede externa
var EXTERNAL_NET any
# Lista de variaveis de servidores
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var
SNMP_SERVERS $HOME_NET
# var portas dos servidores
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
#var ORACLE_PORTS 1521
#var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
# caminho para as regras
var RULE_PATH /etc/snort/rules
###################################################
# Step #2: Configure dynamic loaded libraries
#dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
#dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
###################################################
# Step #3: Configure preprocessors
# PRE-PROCESSADOR FLOW
#
---------------------------------------------------------------------
# preprocessor flow: stats_interval 0 hash 2
# PRE-PROCESSADORE STREAM4
# ---------------------------------------------------------------------
# preprocessor stream4: detect_scans, \
# memcap 132000000, \
# disable_evasion_alerts
# preprocessor stream4_reassemble: both
# PRE-PROCESSADOR FRAG3: Target-based IP defragmentation
# ---------------------------------------------------------------------
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy
linux \
detect_anomalies \
bind_to 10.1.1.0/24
# PRE-PROCESSADOR STREAM5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
preprocessor stream5_global: max_tcp 256000, track_tcp yes, \
track_udp no, \
memcap 64000000
preprocessor stream5_tcp: policy linux,
\
ports all, \
detect_anomalies
# preprocessor stream5_udp: ignore_any_rules
# Performance Statistics
# ---------------------------------------------------------------------
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats events max pktcnt 10000
# PRE-PROCESSADOR HTTP_INSPECT - OK
# ---------------------------------------------------------------------
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252 \
detect_anomalous_servers
preprocessor http_inspect_server: server default \
ports { 80 8080 } \
oversize_dir_length 500 \
flow_depth 300 \
double_decode yes \
multi_slash yes \
webroot yes
# ascii no \
# non_rfc_char { 0x00 } \
# chunk_length 500000 \
# non_strict \
# no_alerts
# PRE-PROCESSADOR RPC_DECODE: normalize RPC traffic
# ---------------------------------
# preprocessor rpc_decode: 111 32771
# PRE-PROCESSADOR BO: Back Orifice detector
# -------------------------
# preprocessor bo: drop { snort_attack
}
# PRE-PREOCESSADOR TELNET_DECODE
# ---------------------------------------------------------------------
# preprocessor telnet_decode
# PRE-PROCESSADOR FTP_TELNET
# ---------------------------------------------------------------------
# preprocessor ftp_telnet: global \
# encrypted_traffic yes \
# inspection_type stateful
# preprocessor ftp_telnet_protocol: telnet \
# normalize \
# ayt_attack_thresh 200
# preprocessor ftp_telnet_protocol: ftp server default \
# def_max_param_len 100 \
# alt_max_param_len 200 { CWD } \
# cmd_validity MODE < char ASBCZ > \
# cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
# chk_str_fmt { USER PASS RNFR RNTO SITE
MKD } \
# telnet_cmds yes \
# data_chan
# preprocessor ftp_telnet_protocol: ftp client default \
# max_resp_len 256 \
# bounce yes \
# telnet_cmds yes
# PRE-PROCESSADOR SMTP: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
# max_command_line_len 512 \
# max_header_line_len 1024 \
#
max_response_line_len 512 \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
# PRE-PROCESSADOR sfPortscan
# ----------
preprocessor sfportscan: proto { all } \
scan_type { all } \
memcap { 10000000 } \
sense_level { low }
# logfile { /var/log/snort/log/scan.log } \
# detect_ack_scans
# DNS
#----------------------------------------
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
####################################################################
# Step #4: Configure output plugins
#
output log_tcpdump: tcpdump.log
include classification.config
include reference.config
####################################################################
# Step #6: Customize your rule set
#=========================================
include $RULE_PATH/local.rules
# include
$RULE_PATH/bad-traffic.rules
# include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
# include $RULE_PATH/finger.rules
# include $RULE_PATH/ftp.rules
# include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
# include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
# include $RULE_PATH/sql.rules
# include $RULE_PATH/x11.rules
# include $RULE_PATH/icmp.rules
# include $RULE_PATH/netbios.rules
# include $RULE_PATH/misc.rules
# include
$RULE_PATH/attack-responses.rules
# include $RULE_PATH/oracle.rules
# include $RULE_PATH/mysql.rules
# include $RULE_PATH/snmp.rules
# include $RULE_PATH/smtp.rules
# include $RULE_PATH/imap.rules
# include $RULE_PATH/pop2.rules
# include $RULE_PATH/pop3.rules
# include $RULE_PATH/nntp.rules
# include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
# include $RULE_PATH/experimental.rules
Pedro C Borges
User Linux # 398043
Flickr agora em português. Você clica, todo mundo vê. Saiba mais.
Reply to: