там можно теперь создавать много конфигов и запускать их
одновременно
Пользователь решил продолжить мысль 21 Ноября 2009, 05:18:58:
В мануале это у них выглядит как
2.10 Multiple Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
2.10.1 Creating Multiple Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
2.10.2 Configuration Specific Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
2.10.3 How Configuration is applied? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Snort now supports multiple configurations based on VLAN Id or IP subnet within a single instance of Snort. This will
allow administrators to specify multiple snort configuration files and bind each configuration to one or more VLANs
or subnets rather than running one Snort for each configuration required. Each unique snort configuration file will
create a new configuration instance within snort. VLANs/Subnets not bound to any specific configuration will use the
default configuration. Each configuration can have different preprocessor settings and detection rules.
Т.Е.
можно не запускать кучу снортов с разными конфигами, а запустить один snort который скушает сразу все конфиги
Пользователь решил продолжить мысль 21 Ноября 2009, 07:20:19:
а вообще хотелось бы на этот новый конфиг взглянуть, может присоветуете мануал, можно на английском, нормальный, по настройке нового snort 2.8.5.*
Пользователь решил продолжить мысль 21 Ноября 2009, 13:21:31:
Заодно подскажите что это за шняга такая, вроде поставил ограничение на флуд в 1600 за минуту,
[snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy 2009-11-21 14:13:00 0.0.0.0:1125 0.0.0.0:22714 TCP
[snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy 2009-11-21 14:11:45 0.0.0.0:6112 0.0.0.0:48663 TCP
Кому нужно Snort 2.8.5.2 amd64
Конфиг под него, рабочий =)
var HOME_NET 77.91.72.32/29
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS [77.91.71.2,77.91.71.3,77.91.72.33]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS [80,443]
var SHELLCODE_PORTS !$HTTP_PORTS
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
config policy_id: 0
#config alert_with_interface_name
#config alertfile: <filename>
#config asn1: <max-nodes>
#config autogenerate_preprocessor_decoder_rules
#config bpf_file: <filename>
config checksum_drop: icmp
config checksum_mode: icmp
#config chroot: <dir>
#config classification: { high }
config daemon
config decode_data_link
#config default_rule_state: enable
config detection: search-method lowmem
#ac ac-std lowmem
config disable_decode_alerts
#config disable_inline_init_failopen
config disable_ipopt_alerts
config disable_tcpopt_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_ttcp_alerts
config dump_chars_only
config dump_payload
config dump_payload_verbose
#config enable_decode_drops
#config enable_decode_oversized_alerts
#config enable_decode_oversized_drops
#config enable_ipopt_drops
#config enable_mpls_multicast
#config enable_mpls_overlapping_ip
config enable_tcpopt_drops
config enable_tcpopt_experimental_drops
config enable_tcpopt_obsolete_drops
config enable_tcpopt_ttcp_drops
config enable_ttcp_drops
config event_filter: memcap 1048576
#config event_queue: [max_queue <num>][log <num>][order_events <order>]
#config flexresp2_attempts:
#config flexresp2_interface:
#config flexresp2_memcap: <bytes>
#config flexresp2_rows: <num-rows>
#config flowbits_size: <num-bits>
#config ignore_ports: <proto> <port-list>
config interface: eth0
#config ipv6_frag:[bsd_icmp_frag_alert_on|off][,_bad_ipv6_frag_alert_on|off][, frag timeout <secs>][,max_frag_sessions <max-track>]
#config layer2resets: <mac-addr>
config logdir: /var/log/snort
#config max_attribute_hosts: <hosts>
#config max_mpls_labelchain_len: <num-hdrs>
#config min_ttl: <ttl>
#config mpls_payload_type:_ipv4|ipv6|ethernet
config no_promisc
config nolog
config nopcre
config obfuscate
#config order: <order>
#config pcre_match_limit: <integer>
#config pcre_match_limit_recursion: <integer>
#config pkt_count: <N>
#config policy_version: <base-version-string> [<binding-version-string>]
#!!!!!!!!config profile preprocs: print all, sort checks
#!!!!!!!!config profile_rules
#config quiet
#config read_bin_file: <pcap>
#config reference: <ref>
#config reference_net <cidr>
#config set_gid: <gid> set_uid: <uid>
config show_year
#config snaplen: <bytes>
config stateful
#config tagged_packet_limit:
config timestats_interval: 3600
#config umask: <umask>
config utc
config verbose
####### PREPROCESSORS
## DYNAMIC PREPROCESSORS
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#### FRAG 3
#preprocessor frag3
preprocessor frag3_global
preprocessor frag3_engine: policy first bind_to 77.91.72.32/29
preprocessor frag3_engine: policy last detect_anomalies
#### STREAM 5
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes, detect_anomalies
preprocessor stream5_tcp: bind_to 77.91.72.32/29, policy linux
preprocessor stream5_udp: ignore_any_rules
#### PORTSCAN
#preprocessor flow: stats_interval 0 hash 2
preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000 } sense_level { medium } watch_ip { 77.91.72.33 } detect_ack_scans
#### RPC
preprocessor rpc_decode
#### PERFORMACE MONITOR
preprocessor perfmonitor: time 300 file /var/tmp/snortstat pktcnt 10000
##### HTTP Inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 }
##### SMTP Inspect
preprocessor SMTP: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
###### FTP/TELNET
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful
preprocessor ftp_telnet_protocol: telnet ports { 23 } normalize ayt_attack_thresh 6 detect_anomalies
preprocessor ftp_telnet_protocol: ftp client default bounce no max_resp_len 200
preprocessor ftp_telnet_protocol: ftp server default ports { 21 }
####### SSH
preprocessor ssh: server_ports { 22 } max_client_bytes 19600 max_encrypted_packets 20 enable_respoverflow enable_ssh1crc32
######## DCE/RPC
#preprocessor dcerpc: ports smb { 139 445 } ports dcerpc { 135 } max_frag_size 3000 memcap 100000 reassemble_increment 0
######### DNS
preprocessor dns: ports { 53 } enable_rdata_overflow
########## SSL
preprocessor ssl: noinspect_encrypted
########### arpspoof
preprocessor arpspoof: -unicast
########### DCE/RPC2
preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
preprocessor dcerpc2_server: default, policy WinXP, detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], smb_max_chain 3
################### MYSQL
output log_tcpdump: tcpdump.log
output database: log, mysql, user=snort password=Dqpt9Oab dbname=snort host=localhost
#output alert_csv: /var/log/alert.csv default
########## FILTERS
#rate_filter gen_id 135, sig_id 2, track by_src, count 100, seconds 0, new_action drop, timeout 10
#config profile_rules
#################### INCLUDE
var PREPROC_RULE_PATH /etc/snort/rules
include classification.config
include reference.config
#include $PREPROC_RULE_PATH/preprocessor.rules
#include $PREPROC_RULE_PATH/decoder.rules
#=========================================
include $PREPROC_RULE_PATH/local.rules
include $PREPROC_RULE_PATH/bad-traffic.rules
include $PREPROC_RULE_PATH/exploit.rules
include $PREPROC_RULE_PATH/community-exploit.rules
include $PREPROC_RULE_PATH/scan.rules
include $PREPROC_RULE_PATH/finger.rules
include $PREPROC_RULE_PATH/ftp.rules
include $PREPROC_RULE_PATH/telnet.rules
include $PREPROC_RULE_PATH/rpc.rules
include $PREPROC_RULE_PATH/rservices.rules
include $PREPROC_RULE_PATH/dos.rules
include $PREPROC_RULE_PATH/community-dos.rules
include $PREPROC_RULE_PATH/ddos.rules
include $PREPROC_RULE_PATH/dns.rules
include $PREPROC_RULE_PATH/tftp.rules
# Specific web server rules:
include $PREPROC_RULE_PATH/web-cgi.rules
include $PREPROC_RULE_PATH/web-coldfusion.rules
include $PREPROC_RULE_PATH/web-iis.rules
include $PREPROC_RULE_PATH/web-frontpage.rules
include $PREPROC_RULE_PATH/web-misc.rules
include $PREPROC_RULE_PATH/web-client.rules
include $PREPROC_RULE_PATH/web-php.rules
include $PREPROC_RULE_PATH/community-sql-injection.rules
include $PREPROC_RULE_PATH/community-web-client.rules
include $PREPROC_RULE_PATH/community-web-dos.rules
include $PREPROC_RULE_PATH/community-web-iis.rules
include $PREPROC_RULE_PATH/community-web-misc.rules
include $PREPROC_RULE_PATH/community-web-php.rules
# Rules for other services:
include $PREPROC_RULE_PATH/sql.rules
include $PREPROC_RULE_PATH/x11.rules
include $PREPROC_RULE_PATH/icmp.rules
include $PREPROC_RULE_PATH/netbios.rules
include $PREPROC_RULE_PATH/misc.rules
include $PREPROC_RULE_PATH/attack-responses.rules
include $PREPROC_RULE_PATH/oracle.rules
include $PREPROC_RULE_PATH/community-oracle.rules
include $PREPROC_RULE_PATH/mysql.rules
include $PREPROC_RULE_PATH/snmp.rules
include $PREPROC_RULE_PATH/community-ftp.rules
include $PREPROC_RULE_PATH/smtp.rules
include $PREPROC_RULE_PATH/community-smtp.rules
include $PREPROC_RULE_PATH/imap.rules
include $PREPROC_RULE_PATH/community-imap.rules
include $PREPROC_RULE_PATH/pop2.rules
include $PREPROC_RULE_PATH/pop3.rules
include $PREPROC_RULE_PATH/nntp.rules
include $PREPROC_RULE_PATH/community-nntp.rules
include $PREPROC_RULE_PATH/community-sip.rules
include $PREPROC_RULE_PATH/other-ids.rules
# Attack-in-progress rules:
include $PREPROC_RULE_PATH/web-attacks.rules
include $PREPROC_RULE_PATH/backdoor.rules
include $PREPROC_RULE_PATH/community-bot.rules
include $PREPROC_RULE_PATH/community-virus.rules
# This rulese is almost useless currently:
include $PREPROC_RULE_PATH/virus.rules
# Note: this rule is extremely chatty, enable with care
include $PREPROC_RULE_PATH/shellcode.rules
# Policy related rules:
include $PREPROC_RULE_PATH/policy.rules
include $PREPROC_RULE_PATH/community-policy.rules
# include $PREPROC_RULE_PATH/porn.rules
# include $PREPROC_RULE_PATH/community-inappropriate.rules
# include $PREPROC_RULE_PATH/chat.rules
include $PREPROC_RULE_PATH/multimedia.rules
# include $PREPROC_RULE_PATH/p2p.rules
# include $PREPROC_RULE_PATH/community-game.rules
include $PREPROC_RULE_PATH/community-misc.rules
# Extremely chatty rules:
include $PREPROC_RULE_PATH/info.rules
include $PREPROC_RULE_PATH/icmp-info.rules
include $PREPROC_RULE_PATH/community-icmp.rules
include $PREPROC_RULE_PATH/icmp.rules
# Experimental rules:
# NOTICE: this is currently empty
include $PREPROC_RULE_PATH/experimental.rules
#INCLUDE OTHER
include $PREPROC_RULE_PATH/content-replace.rules
include $PREPROC_RULE_PATH/open-test.conf
include $PREPROC_RULE_PATH/scada.rules
include $PREPROC_RULE_PATH/specific-threats.rules
include $PREPROC_RULE_PATH/spyware-put.rules
include $PREPROC_RULE_PATH/voip.rules
include $PREPROC_RULE_PATH/web-activex.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:snortetcthreshold.conf
# Uncomment if needed.
include threshold.conf
Пользователь решил продолжить мысль 21 Ноября 2009, 18:23:17:
Чего-то я не разобрался, в том как конфиг прибиндить
т.е. скармливать ему сразу несколько
Может кто подскажет