madsurfer Boulet's eradicator | Voici le package installé :
Code :
- snort.i386 2.6.1.1-4.fc6 installed
- Matched from:
- snort
- Snort is a libpcap-based packet sniffer/logger which
- can be used as a lightweight network intrusion detection system.
- It features rules based logging and can perform protocol analysis,
- content searching/matching and can be used to detect a variety of
- attacks and probes, such as buffer overflows, stealth port scans,
- CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
- Snort has a real-time alerting capabilty, with alerts being sent to syslog,
- a seperate "alert" file, or as a WinPopup message via Samba's smbclient
- Edit /etc/snort.conf to configure snort and use snort.d to start snort
- This rpm is different from previous rpms and while it will not clobber
- your current snortd file, you will need to modify it.
- There are 9 different packages available
- All of them require the base snort rpm. Additionally, you will need
- to chose a binary to install.
- /usr/sbin/snort should end up being a symlink to a binary in one of
- the following configurations:
- plain plain+flexresp
- mysql mysql+flexresp
- postgresql postgresql+flexresp
- snmp snmp+flexresp
- bloat mysql+postgresql+flexresp+snmp
- Please see the documentation in /usr/share/doc/snort-2.6.1.1
- There are no rules in this package the license they are released under forbids
- us from repackaging them and redistributing them.
|
J'ai aussi effectué ce petit test
Code :
- [root@stpxfd2a dynamicpreprocessor]# snort -d -c /etc/snort/snort.conf --dynamic-preprocessor-lib-dir /usr/lib/snort_dynamicpreprocessor/
- Running in IDS mode
- --== Initializing Snort ==--
- Initializing Output Plugins!
- Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
- Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
- Initializing Preprocessors!
- Initializing Plug-ins!
- Parsing Rules file /etc/snort/snort.conf
- +++++++++++++++++++++++++++++++++++++++++++++++++++
- Initializing rule chains...
- Var 'HOME_NET' defined, value len = 110 chars
- [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
- Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
- Var 'DNS_SERVERS' defined, value len = 14 chars, value = [XXXXXXXX]
- Var 'SMTP_SERVERS' defined, value len = 66 chars
- [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
- Var 'HTTP_SERVERS' defined, value len = 66 chars
- [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
- Var 'SQL_SERVERS' defined, value len = 110 chars
- [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
- Var 'TELNET_SERVERS' defined, value len = 110 chars
- [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
- Var 'SNMP_SERVERS' defined, value len = 110 chars
- [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
- Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
- Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
- Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
- Var 'AIM_SERVERS' defined, value len = 185 chars
- [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
- Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
- ,-----------[Flow Config]----------------------
- | Stats Interval: 0
- | Hash Method: 2
- | Memcap: 10485760
- | Rows : 4099
- | Overhead Bytes: 16400(%0.16)
- `----------------------------------------------
- Frag3 global config:
- Max frags: 65536
- Fragment memory cap: 4194304 bytes
- Frag3 engine config:
- Target-based policy: FIRST
- Fragment timeout: 60 seconds
- Fragment min_ttl: 1
- Fragment ttl_limit: 5
- Fragment Problems: 1
- Bound Addresses: 0.0.0.0/0.0.0.0
- Stream4 config:
- Stateful inspection: ACTIVE
- Session statistics: INACTIVE
- Session timeout: 30 seconds
- Session memory cap: 8388608 bytes
- Session count max: 8192 sessions
- Session cleanup count: 5
- State alerts: INACTIVE
- Evasion alerts: INACTIVE
- Scan alerts: INACTIVE
- Log Flushed Streams: INACTIVE
- MinTTL: 1
- TTL Limit: 5
- Async Link: 0
- State Protection: 0
- Self preservation threshold: 50
- Self preservation period: 90
- Suspend threshold: 200
- Suspend period: 30
- Enforce TCP State: INACTIVE
- Midstream Drop Alerts: INACTIVE
- Allow Blocking of TCP Sessions in Inline: ACTIVE
- Server Data Inspection Limit: -1
- WARNING /etc/snort/snort.conf(417) => flush_behavior set in config file, using old static flushpoints (0)
- Stream4_reassemble config:
- Server reassembly: ACTIVE
- Client reassembly: ACTIVE
- Reassembler alerts: ACTIVE
- Zero out flushed packets: INACTIVE
- Flush stream on alert: INACTIVE
- flush_data_diff_size: 500
- Reassembler Packet Preferance : Favor Old
- Packet Sequence Overlap Limit: -1
- Flush behavior: Small (<255 bytes)
- Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
- Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
- WARNING /etc/snort/snort.conf(454) => flush_behavior set in config file, using old static flushpoints (0)
- Stream4_reassemble config:
- Server reassembly: INACTIVE
- Client reassembly: ACTIVE
- Reassembler alerts: ACTIVE
- Zero out flushed packets: INACTIVE
- Flush stream on alert: INACTIVE
- flush_data_diff_size: 500
- Reassembler Packet Preferance : Favor Old
- Packet Sequence Overlap Limit: -1
- Flush behavior: Small (<255 bytes)
- Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
- Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
- HttpInspect Config:
- GLOBAL CONFIG
- Max Pipeline Requests: 0
- Inspection Type: STATELESS
- Detect Proxy Usage: NO
- IIS Unicode Map Filename: /etc/snort/unicode.map
- IIS Unicode Map Codepage: 1252
- DEFAULT SERVER CONFIG:
- Server profile: All
- Ports: 80 8080 8180
- Flow Depth: 300
- Max Chunk Length: 500000
- Inspect Pipeline Requests: YES
- URI Discovery Strict Mode: NO
- Allow Proxy Usage: NO
- Disable Alerting: NO
- Oversize Dir Length: 500
- Only inspect URI: NO
- Ascii: YES alert: NO
- Double Decoding: YES alert: YES
- %U Encoding: YES alert: YES
- Bare Byte: YES alert: YES
- Base36: OFF
- UTF 8: OFF
- IIS Unicode: YES alert: YES
- Multiple Slash: YES alert: NO
- IIS Backslash: YES alert: NO
- Directory Traversal: YES alert: NO
- Web Root Traversal: YES alert: YES
- Apache WhiteSpace: YES alert: NO
- IIS Delimiter: YES alert: NO
- IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
- Non-RFC Compliant Characters: NONE
- Whitespace Characters: 0x09 0x0b 0x0c 0x0d
- rpc_decode arguments:
- Ports to decode RPC on: 111 32771
- alert_fragments: INACTIVE
- alert_large_fragments: ACTIVE
- alert_incomplete: ACTIVE
- alert_multiple_requests: ACTIVE
- Portscan Detection Config:
- Detect Protocols: TCP UDP ICMP IP
- Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
- Sensitivity Level: Low
- Memcap (in bytes): 10000000
- Number of Nodes: 36900
- 5331 Snort rules read...
- 5331 Option Chains linked into 233 Chain Headers
- 0 Dynamic rules
- +++++++++++++++++++++++++++++++++++++++++++++++++++
- Tagged Packet Limit: 256
- +-----------------------[thresholding-config]----------------------------------
- | memory-cap : 1048576 bytes
- +-----------------------[thresholding-global]----------------------------------
- | none
- +-----------------------[thresholding-local]-----------------------------------
- | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
- | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
- | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
- | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
- | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
- +-----------------------[suppression]------------------------------------------
- | none
- -------------------------------------------------------------------------------
- Rule application order: ->activation->dynamic->pass->drop->alert->log
- Log directory = /var/log/snort
- Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
- Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
|
Warning: Directory /usr/lib/snort_dynamicpreprocessor/ does not exist!=> et oui nomal le répertoire n'existe pas sur mon systeme !!
Code :
- Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
- Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
- Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
- Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
- Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
- Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
- FTPTelnet Config:
- GLOBAL CONFIG
- Inspection Type: stateful
- Check for Encrypted Traffic: YES alert: YES
- Continue to check encrypted data: NO
- TELNET CONFIG:
- Ports: 23
- Are You There Threshold: 200
- Normalize: YES
- Detect Anomalies: NO
- FTP CONFIG:
- FTP Server: default
- Ports: 21
- Check for Telnet Cmds: YES alert: YES
- Identify open data channels: YES
- FTP Client: default
- Check for Bounce Attacks: YES alert: YES
- Check for Telnet Cmds: YES alert: YES
- Max Response Length: 256
- SMTP Config:
- Ports: 25
- Inspection Type: STATEFUL
- Normalize Spaces: YES
- Ignore Data: NO
- Ignore TLS Data: NO
- Ignore Alerts: NO
- Max Command Length: 0
- Max Header Line Length: 0
- Max Response Line Length: 0
- X-Link2State Alert: YES
- Drop on X-Link2State Alert: NO
- /etc/snort/snort.conf(792) unknown dynamic preprocessor "dcerpc"
- DNS config:
- DNS Client rdata txt Overflow Alert: ACTIVE
- Obsolete DNS RR Types Alert: INACTIVE
- Experimental DNS RR Types Alert: INACTIVE
- Ports: 53
- ERROR: Misconfigured dynamic preprocessor(s)
- Fatal Error, Quitting..
|
Message édité par madsurfer le 15-03-2007 à 18:27:58
|