|
|
Cụ thể là bạn ping trang nào?
- Nếu không ping được 1 trang mà vẫn vào được trang đó, các trang khác vẫn ping được --> do thằng server của trang đó.
- Nếu không ping được bất cứ trang nào --> modem drop.
|
|
|
minh cần chi tiết từng bước cả cài đặt lẫn cấu hình( không biết có tham lam quá không nhỉ)
|
|
|
xin mọi người chỉ giúp hướng dẫn cài zimbra trên ubuntu server. Mình đang muốn cài nó nhưng chưa thể nào cấu hình được nó. mong mọi người chỉ giúp
|
|
|
vẫn mấy câu trả lời đọc kỹ, mình theo dõi suốt nhưng cuối cùng toàn trả lời như vậy, ai chẳng biết đọc kỹ, mình đã đọc rùi có chẻ hoe ra đâu mấy pro.
|
|
|
hỏi rui nhưng có ai trả lời được đâu.
|
|
|
cho hỏi ai bị lỗi này chưa nhỉ khi cai snort và base
<img src='http://ca6.upanh.com/14.898.19137765.3aS0/untitled.jpg' border='0' alt='%name' />
|
|
|
Theo mình hiểu thì vấn đề có thể là như sau:
Sau khi mã hoá 1 file rồi gửi cho người nhận, người nhận không cần có khoá để giải mã file đó. Mà việc giải mã được thực hiện khi chỉ cần gửi đến đúng đích (mình lấy ví dụ thế), người nhận chỉ cần dùng 1 phần mềm đã thống nhất từ trước để đọc file đó.
|
|
|
ai có tài liệu này không cho mình xin
thienthanbienca3006@yahoo.com
mình xin chân thành cảm ơn
|
|
|
xin xoa topic nay
|
|
|
Norton lởm mà, sao bắt đc, thử dùng thằng Avira xem.
|
|
|
Sao bạn biết là die?
|
|
|
ưu điểm của học BK là có thầy cô giỏi(toàn giáo sư cả nhé), rất nhiệt tình với sinh viên. Ngoài ra BK ko chỉ đào tạo về chuyên ngành mà có thêm 1 số môn khác như chính trị, Triết, Toán cao cấp để rèn luyện tư duy cho sinh viên(cái này mới la quan trọng nhất). Vậy nên theo mình mất thêm 1 năm để có tư duy tốt thì cái giá quá rẻ...
|
|
|
Theo như mình đoán thì có khả năng máy bạn bị nhiễm con Win32/Salit.Y (avira) phát hiện, con này phá hỏng hết tất cả các file *.exe. Bạn down thử avira về diệt, chấp nhận mất file thôi...
|
|
|
Khi mình làm như bạn thì gặp lỗi :"Cannot rename cmd: A file with the name you specified already exists. Specify a different file name". Mặc dù mình đã đổi tên sethc.exe thành abc.exe. Từ đó, mình có suy nghĩ là có phải trong window nó có cơ chế lưu trữ tên các file hệ thống vào 1 bảng nào đó, nên cho dù mình đã đổi tên file sethc.exe thành abc thì vẫn ko thể đổi 1 file exe khác thành file sethc.exe. nếu đúng vậy, thì có ai biết file nào lưu trữ cơ chế này ko?...
|
|
|
mình đang cài ubutu server mình không hiểu sao mình cài được một thời gian khoảng tuần hay mấy ngày thì cài ubutu server của mình không truy nhập vào được nữa. địa chỉ của mình là 192.168.0.103
mình vào từ máy khác trên giao diện web
http://192.168.0.103
thường ngày thì nó hiện lên IT WORK nhưng giờ thì nó lại link ra một đống trang web có địa chỉ ....103 mình không biết chỉnh thế nào
thấy mọi người chỉ thì vào /etc/network rồi nano referent
chỉnh protocol static
addr 192.168.0.103
netmask 255.255.255.0
..
nhưng vẫn không được xin mọi người chỉ giúp
|
|
|
cam ơn bạn đã nhắc nhở
|
|
|
mình cài snort + base trên ubuntu thi giao diện base có nhưng khi mình chuyển sang centos thì không hiể sao snort chạy rồi nhưng với base thì không tài nào ra cái rì trang web trắng tinh
mình gõ như sau
http://192.168.0.154/base
nó hiện ra trang web trắng tinh bình mà trong file cấu hình mình đã chỉnh như sau
/var/ww/html/base
/var/ww/html/adodb
trang web trắng xóa mình chẳng hiểu sao trên ubun tu thì bình thường mà centos thì chẳng thể hiểu nổi
mong sự giúp đỡ
xin chân thành cám ơn
|
|
|
mình xin hỏi mọi người hai cái này nó làm thể nào mà kết nối được với nhau nhi...
chúng có liên quan gì đến nhau
và thằng ossec này mình có thể thêm tool vào cho nó được không vì mình thấy nó chỉ hiện ra cảnh báo mà chẳng thể làm gì được trên nó cả....chẳng chỉnh sửa được mà cũng chẳng ngăn chặn gì được....xin mọi người giúp đỡ
rất chân thành cám ơn
|
|
|
nhưng cái ubutu của mình không có httpd
chỉ vào dược /var/log/
|
|
|
base + snort + ossec mình cài trên server, mình vào từ máy khác
http://192.168.0.103/base/
http://192.168.0.103/ossec/
đều bị lỗi không có quyền trưy nhập
403 - Forbidden
mình không tài nào vào được nữa mong mọi người chỉ giúp chẳng lẽ cài lại máy
|
|
|
bạn có thể cho mình xin file scrip của snort được không của mỉnh không chạy nổi
thienthanbienca3006@yahoo.com
|
|
|
# ps -ef | grep httpd | grep -v root | awk '{print $1}' | uniq
minh chạy lệnh trên hiện ra 115
minh cũng không tai nào khắc phục được lỗi trên cùng mong bạn chỉ rõ giúp mình
mình chân thành cám ơn
|
|
|
Chịu khó phân tích đoạn mã đó sẽ thấy quy luật. Mình khuyên 1 câu:"Đừng vội tin vào những gì nhìn thấy trước mắt"
|
|
|
Vô phương cứu chữa...
|
|
|
thắc mác 1:
cái lưu lượng portscan của mỉnh thì hiện rùi, nhưng cái cần mình hỏi là trên base áy khi mình kick vào portscan event (bạn nhìn thấy trên hình mình port đó )thì không hiểu sao nó lại không mở được portscan.log ma luc trước mình cài thì lại chạy được show ra cái phần portscan event nhưng khi mình cài lại làm lại thì không được và hiện lên thông báo lỗi như trên mặc dù mình đã làm như lần trước (đó là sự ăn may) mình không hiểu sao.
Mỉnh tháy file base_conf.php mình nghĩ không sai gì nữa
mình sẽ port cho mọi người xem file này.
+++++++++++++++++++++++++++++++++++++++++
thắc mắc 2:
một vấn đề nữa là mình chạy file /etc/init.d/snort
một file script mính lấy trên trang này...
http://ubuntuforums.org/showthread.php?t=919472
mình chạy trên ubuntu desktop thì chạy được file này nhưng khi mình cài lên ubuntu-server thì lại toàn báo fail
/etc/init.d/snort start
toàn thất bại mình cũng không hiểu vấn đề là do đâu vì mình cài trên ubuntu-destop thì lần nào cũng ok nhưng khi chạy trên ubuntu server thì thất bại.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
file mọi người tham khảo
<?php
/*******************************************************************************
** Basic Analysis and Security Engine (BASE)
** Copyright (C) 2004 BASE Project Team
** Copyright (C) 2000 Carnegie Mellon University
**
** (see the file 'base_main.php' for license details)
**
** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
** Sean Muller <samwise_diver@users.sourceforge.net>
** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
**
** Purpose: Vanilla Config file
********************************************************************************
** Authors:
********************************************************************************
** Kevin Johnson <kjohnson@secureideas.net
**
********************************************************************************
*/
/*
Create a unique cookie name for each BASE installation.
*/
$sessionName = str_replace(' ', '_', $BASE_installID . session_name());
session_name($sessionName);
session_start();
$BASE_VERSION = '1.4.4 (dawn)';
/*
Set the below to the language you would like people to use while viewing
your install of BASE.
*/
$BASE_Language = 'english';
/*
Set the $Use_Auth_System variable to 1 if you would like to force users to
authenticate to use the system. Only turn this off if the system is not
accessible to the public or the network at large. i.e. a home user testing it
out!
*/
$Use_Auth_System = 0;
/*
Set the below to 0 to remove the links from the display of alerts.
*/
$BASE_display_sig_links = 1;
/*
Set the base_urlpath to the url location that is the root of your BASE install.
This must be set for BASE to function! Do not include a trailing slash!
But also put the preceding slash. e.g. Your url is http://127.0.0.1/base
set this to /base
*/
$BASE_urlpath = '/var/www/base';
/* Unique BASE ID. The below variable, if set, will append its value to the
* title bar of the browser. This is for people who manage multiple installs
* of BASE and want a simple way to differentiate them on the task bar.
*/
$BASE_installID = '';
/* Custom footer addition. The below variable, if set, will cause
* base_main.php to include what ever file is specified.
* A sample custom footer file is in the contrib directory
*/
$base_custom_footer = '';
/* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the directory)
* e.g. $foo = '/tmp' [OK]
* $foo = '/tmp/' [OK]
* $foo = 'c:\tmp' [OK]
* $foo = 'c:\tmp\' [WRONG]
*/
$DBlib_path = '/var/www/adodb';
/* The type of underlying alert database
*
* MySQL : 'mysql'
* PostgresSQL : 'postgres'
* MS SQL Server : 'mssql'
* Oracle : 'oci8'
*/
$DBtype = 'mysql';
/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with this user
* - $alert_password : password of the DB user
*
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = '123456';
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
$archive_dbname = 'snort_archive';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = '123456';
/* Type of DB connection to use
* 1 : use a persistant connection (pconnect)
* 2 : use a normal connection (connect)
*/
$db_connect_method = 1;
/* Use referential integrity
* 1 : use
* 0 : ignore (not installed)
*
* Note: Only PostgreSQL and MS-SQL Server databases support
* referential integrity. Use the associated
* create_acid_tbls_?_extra.sql script to add this
* functionality to the database.
*
* Referential integrity will greatly improve the
* speed of record deletion, but also slow record
* insertion.
*/
$use_referential_integrity = 0;
/* SMTP Email Alert action
*
* Requires the Pear-Mail package to be installed like so:
*
* # pear install --alldeps mail
*
*
* - action_email_smtp_host : Which smtp server to use
* - action_email_smtp_localhost : What name to use for this server in the
* SMTP HELO statement. You will likely need to replace this with the name
* of the machine running BASE when connecting to a remote mail server.
* - action_email_smtp_auth : Whether or not to authenticate with
* the smtp host
* 0: We do NOT authenticate ourselves towards the smtp host
* 1: We DO authenticate ourselves towards the smtp host
* with the following credentials:
* - action_email_smtp_user : The user name with the smtp host
* - action_email_smtp_pw : The password for this mail account
* - action_email_from : email address to use in the FROM field of the mail message
* MUST be the same email address used for the SMTP account
* - action_email_subject : subject to use for the mail message
* - action_email_msg : additional text to include in the body of the mail message
* - action_email_mode : specifies how the alert information should be enclosed
* 0 : all emailed alerts should be in the body of the message
* 1 : all emailed alerts should be enclosed in an attachment
*/
$action_email_smtp_host = 'smtp.example.com';
$action_email_smtp_localhost = 'localhost';
$action_email_smtp_auth = 1;
$action_email_smtp_user = 'username';
$action_email_smtp_pw = 'password';
$action_email_from = 'smtpuser@example.com';
$action_email_subject = 'BASE Incident Report';
$action_email_msg = '';
$action_email_mode = 0;
/* Variable to start the ability to handle themes... */
$base_style = 'base_style.css';
/* Chart default colors - (red, green, blue)
* - $chart_bg_color_default : background color of chart
* - $chart_lgrid_color_default : gridline color of chart
* - $chart_bar_color_default : bar/line color of chart
*/
$chart_bg_color_default = array(255,255,255);
$chart_lgrid_color_default = array(205,205,205);
$chart_bar_color_default = array(190, 5, 5);
/* Maximum number of rows per criteria element */
$MAX_ROWS = 10;
/* Number of rows to display for any query results */
$show_rows = 48;
/* Number of items to return during a snapshot
* Last _X_ # of alerts/unique alerts/ports/IP
*/
$last_num_alerts = 15;
$last_num_ualerts = 15;
$last_num_uports = 15;
$last_num_uaddr = 15;
/* Number of items to return during a snapshot
* Most Frequent unique alerts/IPs/ports
*/
$freq_num_alerts = 5;
$freq_num_uaddr = 15;
$freq_num_uports = 15;
/* Number of scroll buttons to use when displaying query results */
$max_scroll_buttons = 12;
/* Debug mode - how much debugging information should be shown
* Timing mode - display timing information
* SQL trace mode - log SQL statements
* 0 : no extra information
* 1 : debugging information
* 2 : extended debugging information
*
* HTML no cache - whether a no-cache directive should be sent
* to the browser (should be = 1 for IE)
*
* SQL trace file - file to log SQL traces
*/
$debug_mode = 0;
$debug_time_mode = 1;
$html_no_cache = 1;
$sql_trace_mode = 0;
$sql_trace_file = '';
/* Auto-Screen refresh
* - Refresh_Stat_Page - Should certain statistics pages refresh?
* - refresh_all_pages - Should all the pages trigger the http refresh,
* as well?
* 0: No, they should not.
* 1: Yes, even these pages should refresh.
* - Stat_Page_Refresh_Time - refresh interval (in seconds)
*/
$refresh_stat_page = 1;
$refresh_all_pages = 0;
$stat_page_refresh_time = 180;
/* Display First/Previous/Last timestamps for alerts or
* just First/Last on the Unique Alert listing.
* 1: yes
* 0: no
*/
$show_previous_alert = 0;
/* Sets maximum execution time (in seconds) of any particular page.
* Note: this overrides the PHP configuration file variable
* max_execution_time. Thus script can run for a total of
* ($max_script_runtime + max_execution_time) seconds
*/
$max_script_runtime = 180;
/* How should the IP address criteria be entered in the Search screen?
* 1 : each octet is a separate field
* 2 : entire address is as a single field
*/
$ip_address_input = 2;
/* Should a combo box with possible signatures be displayed on the
* search form. (Requires Javascript)
* 0 : disabled
* 1 : show only non pre-processor signatures (e.g., ignore portscans)
* 2 : show all signatures
*/
$use_sig_list = 0;
/* Resolve IP to FQDN (on certain queries?)
* 1 : yes
* 0 : no
*/
$resolve_IP = 0;
/* automatically expand the IP Criteria and Payload Criteria sections on the Search screen?)
* 1 : yes
* 0 : no - you need to click on them to see them
*/
$show_expanded_query = 0;
/* Should summary stats be calculated on every Query Results page
* (Enabling this option will slow page loading time)
*/
$show_summary_stats = 0;
/* DNS cache lifetime (in minutes) */
$dns_cache_lifetime = 20160;
/* Whois information cache lifetime (in minutes) */
$whois_cache_lifetime = 40320;
/* Snort spp_portscan log file */
$portscan_file = '/var/log/snort/portscan.log';
/* Show part of portscan payload in signature */
$portscan_payload_in_signature = '1';
/* Event cache Auto-update
*
* Should the event cache be verified and updated on every
* page log? Otherwise, the cache will have to be explicitly
* updated from the 'cache and status' page.
*
* Note: enabling this option could substantially slow down
* the page loading time when there are many uncached alerts.
* However, this is only a one-time penalty.
*
* 1 : yes
* 0 : no
*/
$event_cache_auto_update = 1;
/* Maintain a history of the visited pages so that the 'Back'
* button can be used.
*
* Note: Enabling this option will cause the PHP-session to
* grow substantially after many pages have been viewed causing
* a slow down in page loading time. Periodically return to the
* main page to clear the history.
*
* 1 : yes
* 0 : no
*/
$maintain_history = 1;
/* Level of detail to display on the main page.
*
* Note: The presence of summary statistics will slow page loading time
*
* 1 : show both the links and summary statistics
* 0 : show only the links and a count of the number of alerts
*/
$main_page_detail = 1;
/* avoid count whenever possible
*
* Note: On some databases (e.g., postgres) this can greatly increase
* performance if you have a large number of events. On other databases
* (e.g., mysql) this will have little to no effect. Enabling this
* option will prevent the number of events in the database from being
* shown on the main screen and will remove the percentages associated
* with the number of events on the alert screen.
*/
$avoid_counts = 0;
/* show links to first/last/previous event on alert screen
*
* Note: Enabling this can slow down loading of the alert screen on large
* databases
*/
$show_first_last_links = 0;
/*
* External urls
*/
/* Whois query */
$external_whois_link = 'http://www.dnsstuff.com/tools/whois.ch?ip=';
/* Local whois */
/* IP addresses of whois servers. Updated on Aug, 1st 2009.
*
* Name: whois.arin.net
* Addresses: 199.212.0.43
*
* Name: whois4.apnic.net
* Address: 202.12.29.13
* Aliases: whois.apnic.net
*
* Name: whois.ripe.net
* Address: 193.0.6.135
*
* Name: whois.nic.ad.jp
* Address: 192.41.192.40
*
*/
$arin_ip = "199.212.0.43";
$apnic_ip = "202.12.29.13";
$ripe_ip = "193.0.6.135";
$jnic_ip = "192.41.192.40";
/* DNS query */
$external_dns_link = 'http://www.dnsstuff.com/tools/ptr.ch?ip=';
/* SamSpade 'all' query */
$external_all_link = 'http://www.whois.sc/';
/* TCP/UDP port database */
$external_port_link = array('sans' => 'http://isc.sans.org/port.html?port=',
'tantalo' => 'http://ports.tantalo.net/?q=',
'sstats' => 'http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=');
/* Signature references */
$external_sig_link = array('bugtraq' => array('http://www.securityfocus.com/bid/', ''),
'snort' => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''),
'cve' => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''),
'arachnids' => array('http://www.whitehats.com/info/ids', ''),
'mcafee' => array('http://vil.nai.com/vil/content/v_', '.htm'),
'icat' => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''),
'nessus' => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''),
'url' => array('http://', ''),
'local' => array('signatures/', '.txt'),
'local_rules_dir' => array('rules/', '.rules'),
'EmThreats' => array('http://docs.emergingthreats.net/', ''));
/* Custom (user) PHP session handlers
*
* - use_user_session : sets whether user PHP session can be used (configured
* with the session.save_handler variable in php.ini)
* 0 : no
* 1 : yes (assuming that 'user_session_path' and 'user_session_function'
* are configured correctly)
* - user_session_path : file to include that implements the custom PHP session
* handler
* - user_session_function : function to invoke in the custom session
* implementation that will register the session handler
* functions
*/
$use_user_session = 0;
$user_session_path = '';
$user_session_function = '';
/**
* This option is used to set if BASE will use colored results
* based on the priority of alerts
* 0 : no
* 1 : yes
*/
$colored_alerts = 0;
// Red, yellow, orange, gray, white, blue
$priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600');
/** IP address to country support
*
* 1. First method for the mapping of ip addresses to country names:
*
* If you have installed the perl module Geo::IPfree
* http://search.cpan.org/CPAN/authors/id/G/GM/GMPASSOS/Geo-IPfree-0.2.tar.gz
* then generate the country database in readable ASCII format,
* similarly to this:
* cd /usr/lib/perl5/site_perl/5.8.8/Geo/
* perl ipct2txt.pl ./ipscountry.dat /var/www/html/ips-ascii.txt
*
* Set the absolute path to this database accordingly:
*/
//$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt";
/** 2. Second method for the mapping of ip addresses to country names:
*
* If you have installed the perl module IP::Country
* http://search.cpan.org/dist/IP-Country/
* (requires Geography::Countries as well),
* then uncomment and correct the absolute path to this perl executable:
*/
//$IP2CC = "/usr/bin/ip2cc";
/*
The below line should not be changed!
*/
$BASE_path = dirname(__FILE__);
// _BASE_INC is a variable set to prevent direct access to certain include files....
define( '_BASE_INC', 1 );
// Include for languages
include("$BASE_path/languages/$BASE_Language.lang.php"
?>
|
|
|
cuốn sách rất hay, nhưng mà ko down đc bạn ơi. Xem lại dùm mình với
|
|
|
xin lỗi bạn mình xem trong base như sau
drwxr-xr-x 14 chieu chieu 4096 2009-11-09 15:37 base
còn file base_conf.php
-rw-r--r-- 1 root root 15503 2009-11-09 15:41 base_conf.php
tại vì mình không biết xem account của base xem thông tin o dâu mong bạn chỉ giúp mình với
minh xin chân thành cám ơn
|
|
|
mình xem nó như sau
-rw-r--r-- 1 root root 759 2009-11-15 22:58 portscan.log
|
|
|
file cấu hình của mình như thế này xin mọi ngừoi góp y
mình muốn dùng cho toàn mạng 192.168.0.0 -->192.168.255.255
cài trên ubutu server
có gì không đúng mọi ngừoi góp y hộ mình với xin chân thành cám ơn
#--------------------------------------------------
# http://www.snort.org Snort 2.8.5 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your own custom configuration:
#
# 1) Set the variables for your network
# 2) Configure dynamic loaded libraries
# 3) Configure preprocessors
# 4) Configure output plugins
# 5) Add any runtime config directives
# 6) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# if Snort is built with IPv6 support enabled (--enable-ipv6), use:
#
# ipvar HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at. Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR list!
#
# or you can specify the variable to be any IP address
# like this:
var HOME_NET 192.168.0.0/16
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
# running a web server? This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.
# list of DNS servers on your network
var DNS_SERVERS $HOME_NET
# list of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# list of web servers on your network
var HTTP_SERVERS $HOME_NET
# list of sql servers on your network
var SQL_SERVERS $HOME_NET
# list of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# list of telnet servers on your network
var FTP_SERVERS $HOME_NET
# list of snmp servers on your network
var SNMP_SERVERS $HOME_NET
# Configure your service ports. This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on. For
# example, if you run a web server on port 8180, set your HTTP_PORTS variable
# like this:
#
# portvar HTTP_PORTS 8180
#
# Ports you run web servers on
portvar HTTP_PORTS 80
# NOTE: If you wish to define multiple HTTP ports, use the portvar
# syntax to represent lists of ports and port ranges. Examples:
## portvar HTTP_PORTS [80,8080]
## portvar HTTP_PORTS [80,8000:8080]
# And only include the rule that uses $HTTP_PORTS once.
#
# The pre-2.8.0 approach of redefining the variable to a different port and
# including the rules file twice is obsolete. See README.variables for more
# details.
# Ports you want to look for SHELLcode on.
portvar SHELLcode_PORTS !80
# Ports you might see oracle attacks on
portvar ORACLE_PORTS 1521
# Ports for FTP servers
portvar FTP_PORTS 21
# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network. If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Alert if value in length field (IP, TCP, UDP) is greater than the
# actual length of the captured portion of the packet that the length
# is supposed to represent:
#
# config enable_decode_oversized_alerts
#
# Same as above, but drop packet if in Inline mode -
# enable_decode_oversized_alerts must be enabled for this to work:
#
# config enable_decode_oversized_drops
#
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem
# Configure Inline Resets
# ========================
#
# If running an iptables firewall with snort in InlineMode() we can now
# perform resets via a physical device. We grab the indev from iptables
# and use this for the interface on which to send resets. This config
# option takes an argument for the src mac address you want to use in the
# reset packet. This way the bridge can remain stealthy. If the src mac
# option is not set we use the mac address of the indev device. If we
# don't set this option we will default to sending resets via raw socket,
# which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76D:5F:E3
###################################################
# Step #2: Configure dynamic loaded libraries
#
# If snort was configured to use dynamically loaded libraries,
# those libraries can be loaded here.
#
# Each of the following configuration options can be done via
# the command line as well.
#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
#
# Load a specific dynamic preprocessor library from the install path
# (same as command line option --dynamic-preprocessor-lib)
#
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#
# Load all dynamic rules libraries from the install path
# (same as command line option --dynamic-detection-lib-dir)
#
# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
#
# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
#
###################################################
# Step #3: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>
# frag3: Target-based IP defragmentation
# --------------------------------------
#
# Frag3 is a brand new IP defragmentation preprocessor that is capable of
# performing "target-based" processing of IP fragments. Check out the
# README.frag3 file in the doc directory for more background and configuration
# information.
#
# Frag3 configuration is a two step process, a global initialization phase
# followed by the definition of a set of defragmentation engines.
#
# Global configuration defines the number of fragmented packets that Snort can
# track at the same time and gives you options regarding the memory cap for the
# subsystem or, optionally, allows you to preallocate all the memory for the
# entire frag3 system.
#
# frag3_global options:
# max_frags: Maximum number of frag trackers that may be active at once.
# Default value is 8192.
# memcap: Maximum amount of memory that frag3 may access at any given time.
# Default value is 4MB.
# prealloc_frags: Maximum number of individual fragments that may be processed
# at once. This is instead of the memcap system, uses static
# allocation to increase performance. No default value. Each
# preallocated fragment typically eats ~1550 bytes. However,
# the exact amount is determined by the snaplen, and this can
# go as high as 64K so beware!
#
# Target-based behavior is attached to an engine as a "policy" for handling
# overlaps and retransmissions as enumerated in the Paxson paper. There are
# currently five policy types available: "BSD", "BSD-right", "First", "Linux"
# and "Last". Engines can be bound to standard Snort CIDR blocks or
# IP lists.
#
# frag3_engine options:
# timeout: Amount of time a fragmented packet may be active before expiring.
# Default value is 60 seconds.
# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
# Based on the initial received fragment TTL.
# min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
# value will be discarded. Default value is 0.
# detect_anomalies: Activates frag3's anomaly detection mechanisms.
# policy: Target-based policy to assign to this engine. Default is BSD.
# bind_to: IP address set to bind this engine to. Default is all hosts.
#
# Frag3 configuration example:
#preprocessor frag3_global: max_frags 65536, prealloc_frags 65536
#preprocessor frag3_engine: policy linux \
# bind_to [10.1.1.12/32,10.1.1.13/32] \
# detect_anomalies
#preprocessor frag3_engine: policy first \
# bind_to 10.2.1.0/24 \
# detect_anomalies
#preprocessor frag3_engine: policy last \
# bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies overlap_limit 10
# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
# Stream5 is a target-based stream engine for Snort. It handles both
# TCP and UDP connection tracking as well as TCP reassembly.
#
# See README.stream5 for details on the configuration options.
#
# Example config
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual. You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
#
# Example unique server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
# ports { 80 3128 8080 } \
# server_flow_depth 0 \
# ascii no \
# double_decode yes \
# non_rfc_char { 0x00 } \
# chunk_length 500000 \
# non_strict \
# oversize_dir_length 300 \
# no_alerts
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.
#
# arguments:
# syntax:
# preprocessor bo: noalert { client | server | general | snort_attack } \
# drop { client | server | general | snort_attack }
# example:
# preprocessor bo: noalert { general server } drop { snort_attack }
#
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
# 2 Back Orifice Client Traffic Detected
# 3 Back Orifice Server Traffic Detected
# 4 Back Orifice Snort Buffer Attack
preprocessor bo
# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes telnet negotiation strings from telnet and
# ftp traffic. It looks for traffic that breaks the normal data stream
# of the protocol, replacing it with a normalized representation of that
# traffic so that the "content" pattern matching keyword can work without
# requiring modifications.
#
# It also performs protocol correctness checks for the FTP command channel,
# and identifies open FTP data transfers.
#
# FTPTelnet has numerous options available, please read
# README.ftptelnet for help configuring the options for the global
# telnet, ftp server, and ftp client sections for the protocol.
#####
# Per Step #2, set the following to load the ftptelnet preprocessor
# dynamicpreprocessor file <full path to libsf_ftptelnet_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
# This is consistent with the FTP rules as of 18 Sept 2004.
# CWD can have param length of 200
# MODE has an additional mode of Z (compressed)
# Check for string formats in USER & PASS commands
# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
# smtp: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes SMTP commands by removing extraneous spaces.
# It looks for overly long command lines, response lines, and data header lines.
# It can alert on invalid commands, or specific valid commands. It can optionally
# ignore mail data, and can ignore TLS encrypted data.
#
# SMTP has numerous options available, please read README.SMTP for help
# configuring options.
#####
# Per Step #2, set the following to load the smtp preprocessor
# dynamicpreprocessor file <full path to libsf_smtp_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
# sfPortscan
# ----------
# Portscan detection module. Detects various types of portscans and
# portsweeps. For more information on detection philosophy, alert types,
# and detailed portscan information, please refer to the README.sfportscan.
#
# -configuration options-
# proto { tcp udp icmp ip all }
# The arguments to the proto option are the types of protocol scans that
# the user wants to detect. Arguments should be separated by spaces and
# not commas.
# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
# The arguments to the scan_type option are the scan types that the
# user wants to detect. Arguments should be separated by spaces and not
# commas.
# sense_level { low|medium|high }
# There is only one argument to this option and it is the level of
# sensitivity in which to detect portscans. The 'low' sensitivity
# detects scans by the common method of looking for response errors, such
# as TCP RSTs or ICMP unreachables. This level requires the least
# tuning. The 'medium' sensitivity level detects portscans and
# filtered portscans (portscans that receive no response). This
# sensitivity level usually requires tuning out scan events from NATed
# IPs, DNS cache servers, etc. The 'high' sensitivity level has
# lower thresholds for portscan detection and a longer time window than
# the 'medium' sensitivity level. Requires more tuning and may be noisy
# on very active networks. However, this sensitivity levels catches the
# most scans.
# memcap { positive integer }
# The maximum number of bytes to allocate for portscan detection. The
# higher this number the more nodes that can be tracked.
# logfile { filename }
# This option specifies the file to log portscan and detailed portscan
# values to. If there is not a leading /, then snort logs to the
# configured log directory. Refer to README.sfportscan for details on
# the logged values in the logfile.
# watch_ip { Snort IP list }
# ignore_scanners { Snort IP list }
# ignore_scanned { Snort IP list }
# These options take a snort IP list as the argument. The 'watch_ip'
# option specifies the IP(s) to watch for portscan. The
# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
# Note that these hosts are still watched as scanned hosts. The
# 'ignore_scanners' option is used to tune alerts from very active
# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
# are still watched as scanner hosts. The 'ignore_scanned' option is
# used to tune alerts from very active hosts such as syslog servers, etc.
# detect_ack_scans
# This option will include sessions picked up in midstream by the stream
# module, which is necessary to detect ACK scans. However, this can lead to
# false alerts, especially under heavy load with dropped packets; which is why
# the option is off by default.
#
preprocessor sfportscan: proto { all } \
scan_type { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { /var/log/snort/portscan.log }
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring. To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you. Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection.
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Unicast ARP request
# 2 Etherframe ARP mismatch (src)
# 3 Etherframe ARP mismatch (dst)
# 4 ARP cache overwrite attack
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
# ssh
# ------------------------------
# The SSH preprocessor detects the following exploits: Challenge-Response
# Authentication overflow, CRC 32 overflow, Secure CRT version string overflow,
# and protocol version mismatches.
#
# Both Challenge-Response Auth and CRC 32 attacks occur after the key exchange,
# and are therefore encrypted. Both attacks involve sending a large payload
# (20kb+) to the server immediately after the authentication challenge.
# To detect the attacks, the SSH preprocessor counts the number of bytes
# transmitted to the server. If those bytes exceed a pre-defined limit,
# set by the option "max_client_bytes", an alert is generated. Since
# the Challenge-Response Auth overflow only affects SSHv2, while CRC 32 only
# affects SSHv1, the SSH version string exchange is used to distinguish
# the attacks.
#
# The Secure CRT and protocol mismatch exploits are observable before
# the key exchange.
#
# SSH has numerous options available, please read README.ssh for help
# configuring options.
#####
# Per Step #2, set the following to load the ssh preprocessor
# dynamicpreprocessor file <full path to libsf_ssh_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
#
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
enable_respoverflow enable_ssh1crc32 \
enable_srvoverflow enable_protomismatch
# DCE/RPC
#----------------------------------------
#
# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
# It is primarily interested in DCE/RPC data, and only decodes SMB
# to get at the DCE/RPC data carried by the SMB layer.
#
# Currently, the preprocessor only handles reassembly of fragmentation
# at both the SMB and DCE/RPC layer. Snort rules can be evaded by
# using both types of fragmentation; with the preprocessor enabled
# the rules are given a buffer with a reassembled SMB or DCE/RPC
# packet to examine.
#
# At the SMB layer, only fragmentation using WriteAndX is currently
# reassembled. Other methods will be handled in future versions of
# the preprocessor.
#
# Autodetection of SMB is done by looking for "\xFFSMB" at the start of
# the SMB data, as well as checking the NetBIOS header (which is always
# present for SMB) for the type "SMB Session".
#
# Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
# checked in the packet. Assuming that the data is a DCE/RPC header,
# one byte is checked for DCE/RPC version (5) and another for the type
# "DCE/RPC Request". If both match, the preprocessor proceeds with that
# assumption that it is looking at DCE/RPC data. If subsequent checks
# are nonsensical, it ends processing.
#
# DCERPC has numerous options available, please read README.dcerpc for help
# configuring options.
#####
# Per Step #2, set the following to load the dcerpc preprocessor
# dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
#
#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000
# DCE/RPC 2
#----------------------------------------
# See doc/README.dcerpc2 for explanations of what the
# preprocessor does and how to configure it.
#
preprocessor dcerpc2
preprocessor dcerpc2_server: default
# DNS
#----------------------------------------
# The dns preprocessor (currently) decodes DNS Response traffic
# and detects a few vulnerabilities.
#
# DNS has a few options available, please read README.dns for
# help configuring options.
#####
# Per Step #2, set the following to load the dns preprocessor
# dynamicpreprocessor file <full path to libsf_dns_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
# SSL
#----------------------------------------
# Encrypted traffic should be ignored by Snort for both performance reasons
# and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP)
# inspects SSL traffic and optionally determines if and when to stop
# inspection of it.
#
# Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to
# inspect port 443, only the SSL handshake of each connection will be
# inspected. Once the traffic is determined to be encrypted, no further
# inspection of the data on the connection is made.
#
# If you don't necessarily trust all of the SSL capable servers on your
# network, you should remove the "trustservers" option from the configuration.
#
# Important note: Stream5 should be explicitly told to reassemble
# traffic on the ports that you intend to inspect SSL
# encrypted traffic on.
#
# To add reassembly on port 443 to Stream5, use 'port both 443' in the
# Stream5 configuration.
preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
# Step #4: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use. General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments. Win32 can also optionally
# specify a particular hostname/port. Under Win32, the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
output log_tcpdump: tcpdump.log
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and generating
# alerts from Snort, the "unified" format. The unified format is a straight
# binary format for logging data out of Snort that is designed to be fast and
# efficient. Used with barnyard (the new alert/log processor), most of the
# overhead for logging and alerting to various slow storage mechanisms such as
# databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
# filename - base filename to write to (current time_t is appended)
# limit - maximum size of spool file in MB (default: 128)
#
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# profile = Name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info = 4
# low = 3
# medium = 2
# high = anything below medium
#
# output alert_prelude
# output alert_prelude: profile=snort-profile-name
# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server"
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
# (msg:"Someone is being LEET"; flags:A+
#
# Include classification & priority settings
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\classification.config
#
include /etc/snort/classification.config
#
# Include reference systems
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\reference.config
#
include /etc/snort/reference.config
####################################################################
# Step #5: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
#
# config flowbits_size: 64
#
# New global ignore_ports config option from Andy Mullican
#
# config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
####################################################################
# Step #6: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
#=========================================
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
# chat, multimedia, and p2p
#
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/experimental.rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf
|
|
|
mình một lần chỉnh file portscan.log trong /var/log/snort/portscan.log trao quyên cho no
chmod 644 portscan.log
va trong base_conf.php mình cũng đã chỉnh thành $portscan_file = ' /var/log/snort/portscan.log'
và trong snort.conf mình chỉnh như sau :
preprocessor sfportscan: proto { all } \
scan_type { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { /var/log/snort/portscan.log }
thì chạy được nhưng bầy giờ khi cài lại cũng làm tương tự như trên thì mình hiện ra thông báo lỗi trên mình không biết làm thế nào, mình đã sửa như trên
mong mọi người chỉ giúp mình với
xin chân thành cảm ơn
|
|
|
|
|
|
|