lazy
- 浏览: 25791 次
-
文章分类
最新评论
本人2009年最新的windows2003下配置snort2.8.4.1的总结
最近在win2003server下配snort2.8.4.1+php5.3+apache2.2+mysql5+adodb509a+base1.4.4+jpgraph+winpcap402,(也尝试用了acid0.9.6b23)
按照网上的提示配置,走了不少弯路,终于能运行起来。
用到的各个软件目前网上都能下载到,我也是刚下载的,所以需要的人自己去下即可。
安装顺序没有明确的先后,大致是
1,snort
2,winpcap
3,mysql5
4,apache2.2
5,php5.3
6,adodb, base, jpgraph
其中遇到过的问题有
1、php5.3 for windows有好几个安装或zip版本,包括nts(Non Thread Safe )或ts(Thread Safe )的,应该下载ts。TS也分VC9或VC6,应该下载VC6的。然后又分zip和msi,我选择的是zip。如果搞错版本和文件,按网上其他人写的配置过程就会找不到一些dll文件。
2、apache2.2配php5好像有另一种写法,但还是用常见的写法比较合适,即
LoadModule php5_module "D:/PHP5/php5apache2_2.dll"
AddType application/x-httpd-php .php .phtml
3、snort本身不带rules,需要到他的网站用email注册并激活账号,就可以下载snortrules-snapshot-CURRENT.tar.gz。
4、mysql我用的是msi安装包,安装时会提示输入root的密码。我用的是sqlyog管理mysql,建立snort对应的数据表。有的帖子说要建立snort账号并授权,我懒得建立。
5、adodb解压到php5目录下,好像不用改它的配置
6、解压base到apache2\htdocs下,直接从ie里浏览,它会提示你一步步的配置,或者直接修改它的配置base_conf.php,里面有写adodb的路径,mysql的参数等,还可以设置界面语言简体中文。acid是很早以前的版本,已经不再更新,base是基于acid修改的,功能更好些,不过代码有问题,需要修改includes\base_state_citems.inc.php,在294行的ProtocolFieldCriteria类里,增加一个构造函数
function ProtocolFieldCriteria(&$db, &$cs, $export_name, $element_cnt, $field_list = Array() )
{
$tdb =& $db;
$cs =& $cs;
$this->BaseCriteria($tdb, $cs, $export_name);
$this->element_cnt = $element_cnt;
$this->criteria_cnt = 0;
$this->valid_field_list = $field_list;
}
7、snort安装时会提示你使用什么数据库,默认支持mysql,可选mssql或oracle。但如果选择后两种,好像需要你本机安装有相应的驱动,否则启动snort会报错找不到某些dll。
8、浏览base里图形页面,会报jpgragh临时目录没设置的问题,还没修改。好像是要建立csimcache目录。
9、运行snort,可能会抓不到数据包,可以运行snort -W 检查有几个网卡设备,然后运行命令时加上 -ix的参数,如-i2。
10、运行snort前,还需要在windows环境变量中加PCAP_FRAMES值为max
以上是已经解决的问题,但运行起snort后,用-v参数,能看见有数据包被抓获,但就是写入不到数据库里面,改成log输出也没有内容,很是奇怪
下面是snort配置,和屏幕输出
#--------------------------------------------------
# http://www.snort.org Snort 2.8.4.1 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
###################################################
# Step #1: Set the network variables:
#
var HOME_NET any
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH d:\snort\rules
var PREPROC_RULE_PATH ../preproc_rules
###################################################
# Step #2: Configure dynamic loaded libraries
#
dynamicpreprocessor directory d:/snort/lib/snort_dynamicpreprocessor/
###################################################
# Step #3: Configure preprocessors
#
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc2
preprocessor dcerpc2_server: default
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
# Step #4: Configure output plugins
#
output database: alert, mysql, user=root password=111222 dbname=snort host=localhost encoding=ascii detail=full
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
include d:\snort\etc\classification.config
include d:\snort\etc\reference.config
####################################################################
# Step #5: Configure snort with config statements
#
####################################################################
# Step #6: Customize your rule set
#
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
输出
D:\>snort\bin\snort -c snort\etc\snort.conf -l d:\snort\log -i2
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!Initializing Output Plugins!
Var '_ADDRESS' redefined
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort\etc\snort.conf
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit (not used): 5
Fragment Problems: 1
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
Reassembly Policy: FIRST
Timeout: 30 seconds
Min ttl: 1
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Static Flushpoint Sizes: YES
Reassembly Ports:
21 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
80 client (Footprint)
110 client (Footprint)
111 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
445 client (Footprint)
513 client (Footprint)
514 client (Footprint)
1433 client (Footprint)
1521 client (Footprint)
2401 client (Footprint)
3306 client (Footprint)
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: snort\etc\unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Server Flow Depth: 300
Client Flow Depth: 300
Max Chunk Length: 500000
Max Header Field Length: 0
Max Number Header Fields: 0
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Normalize HTTP Cookies: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
Tagged Packet Limit: 256
Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamicpreprocesso
r/...
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dce2.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dcerpc.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dns.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ftptelnet.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_smtp.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssh.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssl.dll... done
Finished Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamic
preprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25 587 691
Inspection Type: Stateful
Normalize: EXPN RCPT VRFY
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: Unlimited
Max Specific Command Line Length:
ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
RCPT:300 VRFY:255
Max Header Line Length: Unlimited
Max Response Line Length: Unlimited
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
DCE/RPC 2 Preprocessor Configuration
Global Configuration
DCE/RPC Defragmentation: Enabled
Memcap: 102400 KB
Events: none
Server Default Configuration
Policy: WinXP
Detect ports
SMB: 139 445
TCP: 135
UDP: 135
RPC over HTTP server: 593
RPC over HTTP proxy: None
Autodetect ports
SMB: None
TCP: 1025-65535
UDP: 1025-65535
RPC over HTTP server: 1025-65535
RPC over HTTP proxy: None
Maximum SMB command chaining: 3 commands
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995
Server side data is trusted
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
d:\snort\rules/scan.rules(30): GID 1 SID 616 in rule: "alert tcp $EXTERNAL_NET a
ny -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,establishe
d; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted
-recon; sid:616; rev:4;" duplicates previous rule. Ignoring old rule.
608 Snort rules read
607 detection rules
0 decoder rules
0 preprocessor rules
607 Option Chains linked into 163 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 42 5 0 0
| dst 346 104 0 0
| any 43 42 16 10
| nc 9 4 3 8
| s+d 0 0 0 0
+----------------------------------------------------------------------------
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=
10
| gen-id=1 sig-id=13948 type=Threshold tracking=src count=200 seconds=
30
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = d:\snort\log
Verifying Preprocessor Configurations!
Warning: flowbits key 'mspub_header' is set but not ever checked.
Warning: flowbits key 'swf_file.request' is checked but not ever set.
Warning: flowbits key 'pdf_file.request' is checked but not ever set.
6 out of 512 flowbits in use.
Initializing Network Interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
Decoding Ethernet on interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database: compiled support for ( mysql odbc )
database: configured to use mysql
database: user = root
database: password is set
database: database name = snort
database: host = localhost
database: data encoding = ascii
database: detail level = full
database: sensor name = SERVERNEW:\Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database: sensor id = 3
database: schema version = 107
database: using the "alert" facility
fpBuildServicePortGroups: adding protocol-ordinal=6 as service=ftp
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=33 as service=rtsp
fpBuildServicePortGroups: adding protocol-ordinal=17 as service=finger
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=8 as service=smtp
fpBuildServicePortGroups: adding protocol-ordinal=32 as service=ssl
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=23 as service=tftp
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
[ Port and Service Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances : 175
| Patterns : 7289
| Pattern Chars : 33855
| Num States : 17360
| Num Match States : 4146
| Memory : 798.98Kbytes
| Patterns : 203.73K
| Match Lists : 183.63K
| Transitions : 369.93K
+-------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.8.4.1-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 38)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.4 2007-09-21
Preprocessor Object: SF_SSLPP Version 1.1 <Build 2>
Preprocessor Object: SF_SSH Version 1.1 <Build 1>
Preprocessor Object: SF_SMTP Version 1.1 <Build 7>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 11>
Preprocessor Object: SF_DNS Version 1.1 <Build 2>
Preprocessor Object: SF_DCERPC Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 1>
Using PCAP_FRAMES = max
按照网上的提示配置,走了不少弯路,终于能运行起来。
用到的各个软件目前网上都能下载到,我也是刚下载的,所以需要的人自己去下即可。
安装顺序没有明确的先后,大致是
1,snort
2,winpcap
3,mysql5
4,apache2.2
5,php5.3
6,adodb, base, jpgraph
其中遇到过的问题有
1、php5.3 for windows有好几个安装或zip版本,包括nts(Non Thread Safe )或ts(Thread Safe )的,应该下载ts。TS也分VC9或VC6,应该下载VC6的。然后又分zip和msi,我选择的是zip。如果搞错版本和文件,按网上其他人写的配置过程就会找不到一些dll文件。
2、apache2.2配php5好像有另一种写法,但还是用常见的写法比较合适,即
LoadModule php5_module "D:/PHP5/php5apache2_2.dll"
AddType application/x-httpd-php .php .phtml
3、snort本身不带rules,需要到他的网站用email注册并激活账号,就可以下载snortrules-snapshot-CURRENT.tar.gz。
4、mysql我用的是msi安装包,安装时会提示输入root的密码。我用的是sqlyog管理mysql,建立snort对应的数据表。有的帖子说要建立snort账号并授权,我懒得建立。
5、adodb解压到php5目录下,好像不用改它的配置
6、解压base到apache2\htdocs下,直接从ie里浏览,它会提示你一步步的配置,或者直接修改它的配置base_conf.php,里面有写adodb的路径,mysql的参数等,还可以设置界面语言简体中文。acid是很早以前的版本,已经不再更新,base是基于acid修改的,功能更好些,不过代码有问题,需要修改includes\base_state_citems.inc.php,在294行的ProtocolFieldCriteria类里,增加一个构造函数
function ProtocolFieldCriteria(&$db, &$cs, $export_name, $element_cnt, $field_list = Array() )
{
$tdb =& $db;
$cs =& $cs;
$this->BaseCriteria($tdb, $cs, $export_name);
$this->element_cnt = $element_cnt;
$this->criteria_cnt = 0;
$this->valid_field_list = $field_list;
}
7、snort安装时会提示你使用什么数据库,默认支持mysql,可选mssql或oracle。但如果选择后两种,好像需要你本机安装有相应的驱动,否则启动snort会报错找不到某些dll。
8、浏览base里图形页面,会报jpgragh临时目录没设置的问题,还没修改。好像是要建立csimcache目录。
9、运行snort,可能会抓不到数据包,可以运行snort -W 检查有几个网卡设备,然后运行命令时加上 -ix的参数,如-i2。
10、运行snort前,还需要在windows环境变量中加PCAP_FRAMES值为max
以上是已经解决的问题,但运行起snort后,用-v参数,能看见有数据包被抓获,但就是写入不到数据库里面,改成log输出也没有内容,很是奇怪
下面是snort配置,和屏幕输出
#--------------------------------------------------
# http://www.snort.org Snort 2.8.4.1 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
###################################################
# Step #1: Set the network variables:
#
var HOME_NET any
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH d:\snort\rules
var PREPROC_RULE_PATH ../preproc_rules
###################################################
# Step #2: Configure dynamic loaded libraries
#
dynamicpreprocessor directory d:/snort/lib/snort_dynamicpreprocessor/
###################################################
# Step #3: Configure preprocessors
#
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc2
preprocessor dcerpc2_server: default
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted, trustservers
####################################################################
# Step #4: Configure output plugins
#
output database: alert, mysql, user=root password=111222 dbname=snort host=localhost encoding=ascii detail=full
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
include d:\snort\etc\classification.config
include d:\snort\etc\reference.config
####################################################################
# Step #5: Configure snort with config statements
#
####################################################################
# Step #6: Customize your rule set
#
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
输出
D:\>snort\bin\snort -c snort\etc\snort.conf -l d:\snort\log -i2
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!Initializing Output Plugins!
Var '_ADDRESS' redefined
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort\etc\snort.conf
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit (not used): 5
Fragment Problems: 1
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
Reassembly Policy: FIRST
Timeout: 30 seconds
Min ttl: 1
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Static Flushpoint Sizes: YES
Reassembly Ports:
21 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
80 client (Footprint)
110 client (Footprint)
111 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
445 client (Footprint)
513 client (Footprint)
514 client (Footprint)
1433 client (Footprint)
1521 client (Footprint)
2401 client (Footprint)
3306 client (Footprint)
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: snort\etc\unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Server Flow Depth: 300
Client Flow Depth: 300
Max Chunk Length: 500000
Max Header Field Length: 0
Max Number Header Fields: 0
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Normalize HTTP Cookies: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
Tagged Packet Limit: 256
Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamicpreprocesso
r/...
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dce2.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dcerpc.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_dns.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ftptelnet.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_smtp.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssh.dll... done
Loading dynamic preprocessor library d:/snort/lib/snort_dynamicpreprocessor/sf
_ssl.dll... done
Finished Loading all dynamic preprocessor libs from d:/snort/lib/snort_dynamic
preprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25 587 691
Inspection Type: Stateful
Normalize: EXPN RCPT VRFY
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: Unlimited
Max Specific Command Line Length:
ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
RCPT:300 VRFY:255
Max Header Line Length: Unlimited
Max Response Line Length: Unlimited
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
DCE/RPC 2 Preprocessor Configuration
Global Configuration
DCE/RPC Defragmentation: Enabled
Memcap: 102400 KB
Events: none
Server Default Configuration
Policy: WinXP
Detect ports
SMB: 139 445
TCP: 135
UDP: 135
RPC over HTTP server: 593
RPC over HTTP proxy: None
Autodetect ports
SMB: None
TCP: 1025-65535
UDP: 1025-65535
RPC over HTTP server: 1025-65535
RPC over HTTP proxy: None
Maximum SMB command chaining: 3 commands
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995
Server side data is trusted
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
d:\snort\rules/scan.rules(30): GID 1 SID 616 in rule: "alert tcp $EXTERNAL_NET a
ny -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,establishe
d; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted
-recon; sid:616; rev:4;" duplicates previous rule. Ignoring old rule.
608 Snort rules read
607 detection rules
0 decoder rules
0 preprocessor rules
607 Option Chains linked into 163 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 42 5 0 0
| dst 346 104 0 0
| any 43 42 16 10
| nc 9 4 3 8
| s+d 0 0 0 0
+----------------------------------------------------------------------------
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=
10
| gen-id=1 sig-id=13948 type=Threshold tracking=src count=200 seconds=
30
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = d:\snort\log
Verifying Preprocessor Configurations!
Warning: flowbits key 'mspub_header' is set but not ever checked.
Warning: flowbits key 'swf_file.request' is checked but not ever set.
Warning: flowbits key 'pdf_file.request' is checked but not ever set.
6 out of 512 flowbits in use.
Initializing Network Interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
Decoding Ethernet on interface \Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database: compiled support for ( mysql odbc )
database: configured to use mysql
database: user = root
database: password is set
database: database name = snort
database: host = localhost
database: data encoding = ascii
database: detail level = full
database: sensor name = SERVERNEW:\Device\NPF_{00129D26-BF62-4020-B633-2E8F2DAF621C}
database: sensor id = 3
database: schema version = 107
database: using the "alert" facility
fpBuildServicePortGroups: adding protocol-ordinal=6 as service=ftp
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=33 as service=rtsp
fpBuildServicePortGroups: adding protocol-ordinal=17 as service=finger
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=8 as service=smtp
fpBuildServicePortGroups: adding protocol-ordinal=32 as service=ssl
fpBuildServicePortGroups: adding protocol-ordinal=5 as service=http
fpBuildServicePortGroups: adding protocol-ordinal=7 as service=telnet
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=23 as service=tftp
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=11 as service=netbios-dgm
fpBuildServicePortGroups: adding protocol-ordinal=15 as service=dns
fpBuildServicePortGroups: adding protocol-ordinal=26 as service=sunrpc
[ Port and Service Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances : 175
| Patterns : 7289
| Pattern Chars : 33855
| Num States : 17360
| Num Match States : 4146
| Memory : 798.98Kbytes
| Patterns : 203.73K
| Match Lists : 183.63K
| Transitions : 369.93K
+-------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.8.4.1-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 38)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.4 2007-09-21
Preprocessor Object: SF_SSLPP Version 1.1 <Build 2>
Preprocessor Object: SF_SSH Version 1.1 <Build 1>
Preprocessor Object: SF_SMTP Version 1.1 <Build 7>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 11>
Preprocessor Object: SF_DNS Version 1.1 <Build 2>
Preprocessor Object: SF_DCERPC Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 1>
Using PCAP_FRAMES = max
0
顶
顶
0
踩
踩
分享到:
发表评论
相关推荐
2. **配置文件**:如`snort.conf`,它是Snort的主要配置文件,定义了如何运行Snort,包括选择哪些规则、使用哪种模式以及设置网络接口等。 3. **规则文件**:Snort使用规则语言来定义需要检测的网络行为。这些规则...
Snort 2.8.5.3是该软件的一个特定版本,发布于2009年左右,尽管现在已经有更新的版本,但这一版本在某些环境中仍然被广泛使用。 Snort的核心功能包括包嗅探、协议分析、内容匹配以及报警与日志记录。它的工作原理是...
2.8.5.1版本是Snort的一个历史版本,它包含了丰富的功能和改进,对于理解Snort的工作原理以及进行定制化开发具有重要的学习价值。 Snort源代码的学习可以从以下几个方面入手: 1. **架构了解**:首先,要理解Snort...
snort-2.8.3.1源码及windows安装包
安装这些依赖后,你可以解压snort-2.8.5.2压缩文件,然后按照README或INSTALL文件中的指示进行配置、编译和安装。 配置阶段,你可以通过指定选项来定制Snort的行为,比如选择是否启用调试信息,是否编译成IDS或IPS...
里面包括snort-2.8.4.1,snortrules-snapshot-2.8.tar.gz,libpacp-1.0.0.tar.gz,daq-2.0.0.tar.gz,barnyard2-1.9.tar.gz,libdnet-1.12.tgz
1. **配置文件处理**:解析snort.conf,这是Snort的配置文件,包含了各种规则、选项和插件设置。 2. **数据包捕获**:使用libpcap库来捕获网络接口上的数据包。 3. **预处理器**:如TCP重组、协议分析等,用于预处理...
snort2.8完整规则集,已用于snort源码上编译成功
### Windows XP 下安装配置 Snort 的详细步骤及知识点解析 #### 一、概述 Snort 是一款开源的网络入侵检测系统(Intrusion Detection System, IDS),能够实时地监测网络流量,识别潜在的安全威胁并发出警报。在 ...
在部署 Snort 时,需要将这些规则集解压并正确配置到 Snort 的配置文件中。用户可以根据实际需求选择启用或禁用某些规则,以适应不同的网络环境和安全策略。 4. 其他依赖库: 压缩包中还包含了一些 Snort 运行所...
配置文件通常为`snort.conf`,需要根据你的网络环境进行适当修改,例如设置接口、规则路径、日志路径等。 2. **规则语言**:理解Snort的规则语法至关重要,包括规则头(rule header)、预处理器(preprocessor)和...
3. **配置文件**:安装后,你需要编辑Snort配置文件(通常是snort.conf),指定监听接口、规则路径等参数。 4. **规则更新**:定期更新Snort的规则库,以对抗最新的威胁。 5. **性能调优**:根据网络规模和需求,...
snort2.8完整规则集,已用于snort源码上编译成功. snort2.8完整规则集,已用于snort源码上编译成功. snort2.8完整规则集,已用于snort源码上编译成功. snort2.8完整规则集,已用于snort源码上编译成功.
### Snort最新手册(2.8.5.3)知识点概览 #### 一、Snort概述 **1.1 开始使用** Snort是一款开源的网络入侵检测系统(NIDS),它能够实时分析网络流量并检测潜在的安全威胁。本章节主要介绍了如何开始使用Snort,...
这两天做课设,需要用snort 2.8.3,结果官网居然没有,找了好久找到的。
Snort_2_8_6_Installer.exe,网络管理工具,帮助您管理网络,是您成为一名优秀的网络管理员!
总之,编译Windows下的Snort.exe是一个涉及多步骤的技术过程,需要熟悉C/C++编程、编译原理、网络协议以及网络安全知识。通过这个过程,我们可以深入理解Snort的工作机制,同时也能定制化适应特定环境的需求。
是一个强大的轻量级的网络入侵检测系统。它具有实时数据流量分析和日志IP 网络数据包的能力,能够进行协议分析,对内容进行搜索/匹配。它能够检测各种不同的攻击方式,对攻击...Snort 可以运行在*nix/Win32 平台上。
Snort 2.9.2.2 是一款广泛使用的开源入侵检测系统(Intrusion Detection System,简称IDS),它的核心功能在于对网络流量进行实时监控,以识别潜在的恶意活动和安全威胁。作为网络防御的重要工具,Snort通过分析网络...