Besoin d'aide sur snort.conf
abdoulive
-
abdoulive -
abdoulive -
Bonjour,
dsl! j'ai quelque question conserne la configuration de snort!
j'ai un exposé où je doit manipuler "snort" et "asterisk" ( pour implementer un system alert vocal pour les intrusion réseaux )
j'ai suivi ce doc " https://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10 " ( stp je demande de lire se doc pour ensuite me conprendre )
je me suis arrttt sur cette command " vim /etc/snort/snort.conf "
et la je c pas se que je doit mettre comme config!
g ADSL easy " algérie " mes @ip change chaque conexion
41.201.x.x\?? !! ( se que g mi on "x" change chaque nouvel conexion )
autre chose l'encadreur demande de faire on sorte que snort soie configurer pour une detection de ping ou quelque chose comme sa :s
alors SVP help!
je veux savoir se que je doit modifier de début a la fin ( les regles a modifier ) sur snort.conf ( des explication precise svp pour quelqu'un qui connais rien de rien :s )
dsl! j'ai quelque question conserne la configuration de snort!
j'ai un exposé où je doit manipuler "snort" et "asterisk" ( pour implementer un system alert vocal pour les intrusion réseaux )
j'ai suivi ce doc " https://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10 " ( stp je demande de lire se doc pour ensuite me conprendre )
je me suis arrttt sur cette command " vim /etc/snort/snort.conf "
et la je c pas se que je doit mettre comme config!
g ADSL easy " algérie " mes @ip change chaque conexion
41.201.x.x\?? !! ( se que g mi on "x" change chaque nouvel conexion )
autre chose l'encadreur demande de faire on sorte que snort soie configurer pour une detection de ping ou quelque chose comme sa :s
alors SVP help!
je veux savoir se que je doit modifier de début a la fin ( les regles a modifier ) sur snort.conf ( des explication precise svp pour quelqu'un qui connais rien de rien :s )
2 réponses
Tu as tapé ces commandes? :
# cd /root/snorttmp/snort-2.8.0/etc
# cp * /etc/snort/
Apres tu dois changer les lignes:
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
output database: log, mysql, user=root, password=TON_PASS_MYSQL, dbname=snort
Tu dois avoir au minimum 2 cartes réseau, l'un sera branché à ton réseau local(192.168.X.0), l'autre sera considéré comme externe(!$HOME_NET).
# cd /root/snorttmp/snort-2.8.0/etc
# cp * /etc/snort/
Apres tu dois changer les lignes:
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
output database: log, mysql, user=root, password=TON_PASS_MYSQL, dbname=snort
Tu dois avoir au minimum 2 cartes réseau, l'un sera branché à ton réseau local(192.168.X.0), l'autre sera considéré comme externe(!$HOME_NET).
Salut,
Par exemple tu as cette erreur
database: mysql_error: Table 'snort.sensor' doesn't exist
Les causes possibles
Some possible causes for this error are:
* the user does not have proper INSERT or SELECT privileges
* the sensor table does not exist
* L'utilisateur n'as pas des privilèges pour INSERT ou SELECT
* la table n'existe pas
Par exemple tu as cette erreur
database: mysql_error: Table 'snort.sensor' doesn't exist
Les causes possibles
Some possible causes for this error are:
* the user does not have proper INSERT or SELECT privileges
* the sensor table does not exist
* L'utilisateur n'as pas des privilèges pour INSERT ou SELECT
* la table n'existe pas
mais je me suis bloqué sur un probleme sur cette étape ( je suis toujour le meme doc )
12. Time to test Snort
In the terminal type:
# snort -c /etc/snort/snort.conf
If everything went well you should see an ascii pig.
To end the test hit ctrl + c.
pour moi il m'affiche a la fin fatal error ( alors que je suivez bien le doc ) SVP AIDEZ MOI
:~/snorttmp/snort-2.8.3.2/etc# snort -c /etc/snort/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf PortVar 'HTTP_PORTS' defined : [ 80 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1521 ] Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit (not used): 5 Fragment Problems: 1 Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 8192 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: INACTIVE Track ICMP sessions: INACTIVE Log info if session memory consumption exceeds 1048576 Stream5 TCP Policy config: Reassembly Policy: FIRST Timeout: 30 seconds Min ttl: 1 Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Options: Static Flushpoint Sizes: YES Reassembly Ports: 21 client (Footprint) 23 client (Footprint) 25 client (Footprint) 42 client (Footprint) 53 client (Footprint) 80 client (Footprint) 110 client (Footprint) 111 client (Footprint) 135 client (Footprint) 136 client (Footprint) 137 client (Footprint) 139 client (Footprint) 143 client (Footprint) 445 client (Footprint) 513 client (Footprint) 514 client (Footprint) 1433 client (Footprint) 1521 client (Footprint) 2401 client (Footprint) 3306 client (Footprint) HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Server Flow Depth: 300 Client Flow Depth: 300 Max Chunk Length: 500000 Max Header Field Length: 0 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Normalize HTTP Headers: NO Normalize HTTP Cookies: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 587 691 Inspection Type: Stateful Normalize: EXPN RCPT VRFY Ignore Data: No Ignore TLS Data: No Ignore SMTP Alerts: No Max Command Line Length: Unlimited Max Specific Command Line Length: ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260 RCPT:300 VRFY:255 Max Header Line Length: Unlimited Max Response Line Length: Unlimited X-Link2State Alert: Yes Drop on X-Link2State Alert: No Alert on commands: None DCE/RPC Decoder config: Autodetect ports ENABLED SMB fragmentation ENABLED DCE/RPC fragmentation ENABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED Reassembly increment: DISABLED DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 SSLPP config: Encrypted packets: not inspected Ports: 443 465 563 636 989 992 993 994 995 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 2830 Snort rules read 2830 detection rules 0 decoder rules 0 preprocessor rules 2830 Option Chains linked into 215 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 122 12 0 0 | dst 2382 163 0 0 | any 68 50 50 20 | nc 22 8 15 18 | s+d 3 3 0 0 +---------------------------------------------------------------------------- +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Verifying Preprocessor Configurations! Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. 35 out of 512 flowbits in use. *** *** interface device lookup found: eth0 *** Initializing Network Interface eth0 Decoding Ethernet on interface eth0 database: compiled support for ( mysql ) database: configured to use mysql database: user = root database: password is set database: database name = snort database: host = localhost database: sensor name = 192.168.0.1 database: mysql_error: Table 'snort.sensor' doesn't exist database: mysql_error: Table 'snort.sensor' doesn't exist SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES ('192.168.0.1','eth0',1,0, 0) database: mysql_error: Table 'snort.sensor' doesn't exist database: Problem obtaining SENSOR ID (sid) from snort->sensor ERROR: When this plugin starts, a SELECT query is run to find the sensor id for the currently running sensor. If the sensor id is not found, the plugin will run an INSERT query to insert the proper data and generate a new sensor id. Then a SELECT query is run to get the newly allocated sensor id. If that fails then this error message is generated. Some possible causes for this error are: * the user does not have proper INSERT or SELECT privileges * the sensor table does not exist If you are _absolutely_ certain that you have the proper privileges set and that your database structure is built properly please let me know if you continue to get this error. You can contact me at (roman@danyliw.com). Fatal Error, Quitting..