Snort 2.7.0 não reconhece varredura nmap

To: Lista-Debian <debian-user-portuguese@lists.debian.org>
Subject: Snort 2.7.0 não reconhece varredura nmap
From: Pedro Celio <pedro_debian@yahoo.com.br>
Date: Wed, 22 Aug 2007 18:51:47 -0300 (ART)
Message-id: <193264.11051.qm@web31708.mail.mud.yahoo.com>

Olá pessoal,

Estou configurando o Snort para um trabalho acadêmico. Com base no arquivo exemplo montei a configuração a abaixo, porém qdo executo o programa, não está sendo reconhecida a varredura do namp, além de estar muito lento.

Alguém pode me ajudar a ajustar estas regras?

Desde já muito obrigado.

#--------------------------------------------------
#   http://www.snort.org     Snort 2.7.0 Ruleset
#     Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
# Step #1: Set the network variables:
# var HOME_NET $eth0_ADDRESS

#var rede interna
var HOME_NET 10.1.1.0/24
# var. rede externa
var EXTERNAL_NET any

# Lista de variaveis de servidores
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

# var portas dos servidores
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
#var ORACLE_PORTS 1521
#var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# caminho para as regras
var RULE_PATH /etc/snort/rules

###################################################
# Step #2: Configure dynamic loaded libraries

#dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
#dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so

###################################################
# Step #3: Configure preprocessors

# PRE-PROCESSADOR FLOW
# ---------------------------------------------------------------------
#    preprocessor flow: stats_interval 0 hash 2

# PRE-PROCESSADORE STREAM4
# ---------------------------------------------------------------------
#    preprocessor stream4: detect_scans, \
#                          memcap 132000000, \
#                          disable_evasion_alerts
#    preprocessor stream4_reassemble: both

# PRE-PROCESSADOR FRAG3: Target-based IP defragmentation
# ---------------------------------------------------------------------
    preprocessor frag3_global: max_frags 65536
    preprocessor frag3_engine: policy linux \
                   detect_anomalies \
                   bind_to 10.1.1.0/24

# PRE-PROCESSADOR STREAM5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------

    preprocessor stream5_global: max_tcp 256000, track_tcp yes, \
                                 track_udp no, \
                memcap 64000000
    preprocessor stream5_tcp: policy linux, \
                              ports all, \
                              detect_anomalies
#    preprocessor stream5_udp: ignore_any_rules

# Performance Statistics
# ---------------------------------------------------------------------
    preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats events max pktcnt 10000

# PRE-PROCESSADOR HTTP_INSPECT - OK
# ---------------------------------------------------------------------
    preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 \
    detect_anomalous_servers
    preprocessor http_inspect_server: server default \
    ports { 80 8080 } \
       oversize_dir_length 500 \
       flow_depth 300 \
       double_decode yes \
       multi_slash yes \
       webroot yes
#       ascii no \
#       non_rfc_char { 0x00 } \
#       chunk_length 500000 \
#       non_strict \
#       no_alerts

# PRE-PROCESSADOR RPC_DECODE: normalize RPC traffic
# ---------------------------------
#    preprocessor rpc_decode: 111 32771

# PRE-PROCESSADOR BO: Back Orifice detector
# -------------------------
#    preprocessor bo: drop { snort_attack }

# PRE-PREOCESSADOR TELNET_DECODE
# ---------------------------------------------------------------------
#    preprocessor telnet_decode

# PRE-PROCESSADOR FTP_TELNET
# ---------------------------------------------------------------------
#    preprocessor ftp_telnet: global \
#    encrypted_traffic yes \
#    inspection_type stateful

#    preprocessor ftp_telnet_protocol: telnet \
#    normalize \
#    ayt_attack_thresh 200

#    preprocessor ftp_telnet_protocol: ftp server default \
#    def_max_param_len 100 \
#    alt_max_param_len 200 { CWD } \
#    cmd_validity MODE < char ASBCZ > \
#    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
#    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
#    telnet_cmds yes \
#    data_chan

#    preprocessor ftp_telnet_protocol: ftp client default \
#    max_resp_len 256 \
#    bounce yes \
#    telnet_cmds yes

# PRE-PROCESSADOR SMTP: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
    preprocessor smtp: \
        ports { 25 } \
        inspection_type stateful \
        normalize cmds \
        normalize_cmds { EXPN VRFY RCPT } \
#        max_command_line_len 512 \
#        max_header_line_len 1024 \
#        max_response_line_len 512 \
        alt_max_command_line_len 260 { MAIL } \
        alt_max_command_line_len 300 { RCPT } \
        alt_max_command_line_len 500 { HELP HELO ETRN } \
        alt_max_command_line_len 255 { EXPN VRFY }

# PRE-PROCESSADOR sfPortscan
# ----------
preprocessor sfportscan: proto { all } \
                         scan_type { all } \
                         memcap { 10000000 } \
                         sense_level { low }
#                         logfile { /var/log/snort/log/scan.log } \
#                         detect_ack_scans

# DNS
#----------------------------------------
preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow

####################################################################
# Step #4: Configure output plugins
#
output log_tcpdump: tcpdump.log

include classification.config
include reference.config

####################################################################
# Step #6: Customize your rule set
#=========================================

include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
# include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
# include $RULE_PATH/finger.rules
# include $RULE_PATH/ftp.rules
# include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
# include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

# include $RULE_PATH/sql.rules
# include $RULE_PATH/x11.rules
# include $RULE_PATH/icmp.rules
# include $RULE_PATH/netbios.rules
# include $RULE_PATH/misc.rules
# include $RULE_PATH/attack-responses.rules
# include $RULE_PATH/oracle.rules
# include $RULE_PATH/mysql.rules
# include $RULE_PATH/snmp.rules

# include $RULE_PATH/smtp.rules
# include $RULE_PATH/imap.rules
# include $RULE_PATH/pop2.rules
# include $RULE_PATH/pop3.rules

# include $RULE_PATH/nntp.rules
# include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
# include $RULE_PATH/experimental.rules

Pedro C Borges
User Linux # 398043

Flickr agora em português. Você clica, todo mundo vê. Saiba mais.

Reply to:

Prev by Date: Re: Sobrecarga - Samba/LDAP/NSCD
Next by Date: problema com o xephyr
Previous by thread: [fora do assunto] solicitação de produto
Next by thread: [Off] Programa para converter imagem em matrix numerica
Index(es):
- Date
- Thread