Forum |  HardWare.fr | News | Articles | PC | Prix | S'identifier | S'inscrire | Aide | Shop Recherche
2026 connectés 

  FORUM HardWare.fr
  Linux et OS Alternatifs
  réseaux et sécurité

  Configuration snort - probleme preprocessor

 



 Mot :   Pseudo :  
 
Bas de page
Auteur Sujet :

Configuration snort - probleme preprocessor

n°895192
madsurfer
Boulet's eradicator
Posté le 15-03-2007 à 18:19:08  profilanswer
 

:hello:  
 
J'essai désespérament de faire fonctionner snort sous une Fedora Core 6.
J'ai installé le package à partir de yum et j'obtiens cette erreur lorsque je lance le service.
"libdynamicexample.so", le répertoire snort_dynamicrule/ n'existe pas sur ma machine....
 
J'ai raté quelque chose ?
 
Merci d'avance pour votre aide  :jap:  
 

Code :
  1. Mar 15 18:07:42 test snort[32017]: +-----------------------[thresholding-config]----------------------------------
  2. Mar 15 18:07:42 test snort[32017]: | memory-cap : 1048576 bytes
  3. Mar 15 18:07:42 test snort[32017]: +-----------------------[thresholding-global]----------------------------------
  4. Mar 15 18:07:42 test snort[32017]: | none
  5. Mar 15 18:07:42 test snort[32017]: +-----------------------[thresholding-local]-----------------------------------
  6. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2 
  7. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2 
  8. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60 
  9. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60 
  10. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2 
  11. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=4984       type=Threshold tracking=src count=5   seconds=2 
  12. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10 
  13. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60 
  14. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60 
  15. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2 
  16. Mar 15 18:07:42 test snort[32017]: +-----------------------[suppression]------------------------------------------
  17. Mar 15 18:07:42 test snort[32017]: | none
  18. Mar 15 18:07:42 test snort[32017]: -------------------------------------------------------------------------------
  19. Mar 15 18:07:42 test snort[32017]: Rule application order: ->activation->dynamic->pass->drop->alert->log
  20. Mar 15 18:07:42 test snort[32017]: Log directory = /var/log/snort
  21. Mar 15 18:07:42 test snort[32017]: Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so...
  22. Mar 15 18:07:42 test snort[32017]: done
  23. Mar 15 18:07:42 test snort[32017]: Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
  24. Mar 15 18:07:42 test snort[32017]:   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so...  
  25. Mar 15 18:07:42 test snort[32017]: done
  26. Mar 15 18:07:42 test snort[32017]:   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so...  
  27. Mar 15 18:07:42 test snort[32017]: done
  28. Mar 15 18:07:42 test snort[32017]:   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so...  
  29. Mar 15 18:07:42 test snort[32017]: done
  30. Mar 15 18:07:42 test snort[32017]:   Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
  31. Mar 15 18:07:42 test snort[32017]: FTPTelnet Config:
  32. Mar 15 18:07:42 test snort[32017]:     GLOBAL CONFIG
  33. Mar 15 18:07:42 test snort[32017]:       Inspection Type: stateful
  34. Mar 15 18:07:42 test snort[32017]:       Check for Encrypted Traffic: YES alert: YES
  35. Mar 15 18:07:42 test snort[32017]:       Continue to check encrypted data: NO
  36. Mar 15 18:07:42 test snort[32017]:     TELNET CONFIG:
  37. Mar 15 18:07:42 test snort[32017]:       Ports: 23 
  38. Mar 15 18:07:42 test snort[32017]:       Are You There Threshold: 200
  39. Mar 15 18:07:42 test snort[32017]:       Normalize: YES
  40. Mar 15 18:07:42 test snort[32017]:       Detect Anomalies: NO
  41. Mar 15 18:07:42 test snort[32017]:     FTP CONFIG:
  42. Mar 15 18:07:42 test snort[32017]:       FTP Server: default
  43. Mar 15 18:07:42 test snort[32017]:         Ports: 21 
  44. Mar 15 18:07:42 test snort[32017]:         Check for Telnet Cmds: YES alert: YES
  45. Mar 15 18:07:42 test snort[32017]:         Identify open data channels: YES
  46. Mar 15 18:07:42 test snort[32017]:       FTP Client: default
  47. Mar 15 18:07:42 test snort[32017]:         Check for Bounce Attacks: YES alert: YES
  48. Mar 15 18:07:42 test snort[32017]:         Check for Telnet Cmds: YES alert: YES
  49. Mar 15 18:07:42 test snort[32017]:         Max Response Length: 256
  50. Mar 15 18:07:42 test snort[32017]: SMTP Config:
  51. Mar 15 18:07:42 test snort[32017]:       Ports:
  52. Mar 15 18:07:42 test snort[32017]: 25
  53. Mar 15 18:07:42 test snort[32017]: 
  54. Mar 15 18:07:42 test snort[32017]:       Inspection Type:            STATEFUL
  55. Mar 15 18:07:42 test snort[32017]:       Normalize Spaces:           YES
  56. Mar 15 18:07:42 test snort[32017]:       Ignore Data:                NO
  57. Mar 15 18:07:42 test snort[32017]:       Ignore TLS Data:            NO
  58. Mar 15 18:07:42 test snort[32017]:       Ignore Alerts:              NO
  59. Mar 15 18:07:42 test snort[32017]:       Max Command Length:         0
  60. Mar 15 18:07:42 test snort[32017]:       Max Header Line Length:     0
  61. Mar 15 18:07:42 test snort[32017]:       Max Response Line Length:   0
  62. Mar 15 18:07:42 test snort[32017]:       X-Link2State Alert:         YES
  63. Mar 15 18:07:42 test snort[32017]:       Drop on X-Link2State Alert: NO
  64. Mar 15 18:07:42 test snort[32017]: /etc/snort/snort.conf(792) unknown dynamic preprocessor "dcerpc"
  65. Mar 15 18:07:42 test snort[32017]: DNS config: 
  66. Mar 15 18:07:42 test snort[32017]:     DNS Client rdata txt Overflow Alert: ACTIVE
  67. Mar 15 18:07:42 test snort[32017]:     Obsolete DNS RR Types Alert: INACTIVE
  68. Mar 15 18:07:42 test snort[32017]:     Experimental DNS RR Types Alert: INACTIVE
  69. Mar 15 18:07:42 test snort[32017]:     Ports:
  70. Mar 15 18:07:42 test snort[32017]:  53
  71. Mar 15 18:07:42 test snort[32017]: 
  72. Mar 15 18:07:42 test snort[32017]: FATAL ERROR: Misconfigured dynamic preprocessor(s)


 
 
Voici le morceau de mon snort.conf qui fait reference aux préprocesseurs  
Par défaut certaines librairie snort était dans /usr/lib/.... j'ai fais la modification pour celle qui étaient présentent.
 

Code :
  1. ###################################################
  2. # Step #2: Configure dynamic loaded libraries
  3. #
  4. # If snort was configured to use dynamically loaded libraries,
  5. # those libraries can be loaded here.
  6. #
  7. # Each of the following configuration options can be done via
  8. # the command line as well.
  9. #
  10. # Load all dynamic preprocessors from the install path
  11. # (same as command line option --dynamic-preprocessor-lib-dir)
  12. #
  13. dynamicpreprocessor directory /usr/lib/snort/dynamicpreprocessor/
  14. #
  15. # Load a specific dynamic preprocessor library from the install path
  16. # (same as command line option --dynamic-preprocessor-lib)
  17. #
  18. # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
  19. #
  20. # Load a dynamic engine from the install path
  21. # (same as command line option --dynamic-engine-lib)
  22. #
  23. # TEST - IL S'AGIRAIT D'UN BUG DU PACKAFE FEDORA - http://ftp.iasi.roedu.net/mirrors/ [...] -3402.html
  24. #dynamicengine /usr/lib/dynamicengine/libsf_engine.so
  25. dynamicengine /usr/lib/snort/dynamicengine/libsf_engine.so
  26. #
  27. # Load all dynamic rules libraries from the install path
  28. # (same as command line option --dynamic-detection-lib-dir)
  29. #
  30. # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
  31. #
  32. # Load a specific dynamic rule library from the install path
  33. # (same as command line option --dynamic-detection-lib)
  34. #
  35. # dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
  36. #
  37. #
  38. ###################################################
  39. # Step #3: Configure preprocessors
  40. #
  41. # General configuration for preprocessors is of
  42. # the form
  43. # preprocessor <name_of_processor>: <configuration_options>
  44. # Configure Flow tracking module
  45. # -------------------------------
  46. #
  47. # The Flow tracking module is meant to start unifying the state keeping
  48. # mechanisms of snort into a single place. Right now, only a portscan detector
  49. # is implemented but in the long term,  many of the stateful subsystems of
  50. # snort will be migrated over to becoming flow plugins. This must be enabled
  51. # for flow-portscan to work correctly.
  52. #
  53. # See README.flow for additional information
  54. #
  55. preprocessor flow: stats_interval 0 hash 2
  56. # frag2: IP defragmentation support
  57. # -------------------------------
  58. # This preprocessor performs IP defragmentation.  This plugin will also detect
  59. # people launching fragmentation attacks (usually DoS) against hosts.  No
  60. # arguments loads the default configuration of the preprocessor, which is a 60
  61. # second timeout and a 4MB fragment buffer.
  62. # The following (comma delimited) options are available for frag2
  63. #    timeout [seconds] - sets the number of [seconds] that an unfinished
  64. #                        fragment will be kept around waiting for completion,
  65. #                        if this time expires the fragment will be flushed
  66. #    memcap [bytes] - limit frag2 memory usage to [number] bytes
  67. #                      (default:  4194304)
  68. #
  69. #    min_ttl [number] - minimum ttl to accept
  70. #
  71. #    ttl_limit [number] - difference of ttl to accept without alerting
  72. #                         will cause false positves with router flap
  73. #
  74. # Frag2 uses Generator ID 113 and uses the following SIDS
  75. # for that GID:
  76. #  SID     Event description
  77. # -----   -------------------
  78. #   1       Oversized fragment (reassembled frag > 64k bytes)
  79. #   2       Teardrop-type attack
  80. #preprocessor frag2
  81. # frag3: Target-based IP defragmentation
  82. # --------------------------------------
  83. #
  84. # Frag3 is a brand new IP defragmentation preprocessor that is capable of
  85. # performing "target-based" processing of IP fragments.  Check out the
  86. # README.frag3 file in the doc directory for more background and configuration
  87. # information.
  88. #
  89. # Frag3 configuration is a two step process, a global initialization phase
  90. # followed by the definition of a set of defragmentation engines.
  91. #
  92. # Global configuration defines the number of fragmented packets that Snort can
  93. # track at the same time and gives you options regarding the memory cap for the
  94. # subsystem or, optionally, allows you to preallocate all the memory for the
  95. # entire frag3 system.
  96. #
  97. # frag3_global options:
  98. #   max_frags: Maximum number of frag trackers that may be active at once.
  99. #              Default value is 8192.
  100. #   memcap: Maximum amount of memory that frag3 may access at any given time.
  101. #           Default value is 4MB.
  102. #   prealloc_frags: Maximum number of individual fragments that may be processed
  103. #                   at once.  This is instead of the memcap system, uses static
  104. #                   allocation to increase performance.  No default value.  Each
  105. #                   preallocated fragment eats ~1550 bytes.
  106. #
  107. # Target-based behavior is attached to an engine as a "policy" for handling
  108. # overlaps and retransmissions as enumerated in the Paxson paper.  There are
  109. # currently five policy types available: "BSD", "BSD-right", "First", "Linux"
  110. # and "Last".  Engines can be bound to bound to standard Snort CIDR blocks or
  111. # IP lists.
  112. #
  113. # frag3_engine options:
  114. #   timeout: Amount of time a fragmented packet may be active before expiring.
  115. #            Default value is 60 seconds.
  116. #   ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
  117. #              Based on the initial received fragment TTL.
  118. #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
  119. #            value will be discarded.  Default value is 0.
  120. #   detect_anomalies: Activates frag3's anomaly detection mechanisms.
  121. #   policy: Target-based policy to assign to this engine.  Default is BSD.
  122. #   bind_to: IP address set to bind this engine to.  Default is all hosts.
  123. #
  124. # Frag3 configuration example:
  125. #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
  126. #preprocessor frag3_engine: policy linux \
  127. #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
  128. #                           detect_anomalies
  129. #preprocessor frag3_engine: policy first \
  130. #                           bind_to 10.2.1.0/24 \
  131. #                           detect_anomalies
  132. #preprocessor frag3_engine: policy last \
  133. #                           bind_to 10.3.1.0/24
  134. #preprocessor frag3_engine: policy bsd
  135. preprocessor frag3_global: max_frags 65536
  136. preprocessor frag3_engine: policy first detect_anomalies
  137. # stream4: stateful inspection/stream reassembly for Snort
  138. #----------------------------------------------------------------------
  139. # Use in concert with the -z [all|est] command line switch to defeat stick/snot
  140. # against TCP rules.  Also performs full TCP stream reassembly, stateful
  141. # inspection of TCP streams, etc.  Can statefully detect various portscan
  142. # types, fingerprinting, ECN, etc.
  143. # stateful inspection directive
  144. search hit BOTTOM, continuing at TOP
  145. # no arguments loads the defaults (timeout 30, memcap 8388608)
  146. # options (options are comma delimited):
  147. #   detect_scans - stream4 will detect stealth portscans and generate alerts
  148. #                  when it sees them when this option is set
  149. #   detect_state_problems - detect TCP state problems, this tends to be very
  150. #                           noisy because there are a lot of crappy ip stack
  151. #                           implementations out there
  152. #
  153. #   disable_evasion_alerts - turn off the possibly noisy mitigation of
  154. #                            overlapping sequences.
  155. #
  156. #   ttl_limit [number]     - differential of the initial ttl on a session versus
  157. #                             the normal that someone may be playing games.
  158. #                             Routing flap may cause lots of false positives.
  159. #
  160. #   keepstats [machine|binary] - keep session statistics, add "machine" to
  161. #                         get them in a flat format for machine reading, add
  162. #                         "binary" to get them in a unified binary output
  163. #                         format
  164. #   noinspect - turn off stateful inspection only
  165. #   timeout [number] - set the session timeout counter to [number] seconds,
  166. #                      default is 30 seconds
  167. #   max_sessions [number] - limit the number of sessions stream4 keeps
  168. #                         track of
  169. #   memcap [number] - limit stream4 memory usage to [number] bytes (does
  170. #                     not include session tracking, which is set by the
  171. #                     max_sessions option)
  172. #   log_flushed_streams - if an event is detected on a stream this option will
  173. #                         cause all packets that are stored in the stream4
  174. #                         packet buffers to be flushed to disk.  This only
  175. #                         works when logging in pcap mode!
  176. #   server_inspect_limit [bytes] - Byte limit on server side inspection.
  177. #   enable_udp_sessions - turn on tracking of "sessions" over UDP.  Requires
  178. #                         configure --enable-stream4udp.  UDP sessions are
  179. #                         only created when there is a rule for the sender or
  180. #                         responder that has a flow or flowbits keyword.
  181. #   max_udp_sessions [number] - limit the number of simultaneous UDP sessions
  182. #                               to track
  183. #   udp_ignore_any - Do not inspect UDP packets unless there is a port specific
  184. #                    rule for a given port.  This is a performance improvement
  185. #                    and turns off inspection for udp xxx any -> xxx any rules
  186. #   cache_clean_sessions [number] - Cleanup the session cache by number sessions
  187. #                                   at a time.  The larger the value, the
  188. #                                   more sessions are purged from the cache when
  189. #                                   the session limit or memcap is reached.
  190. #                                   Defaults to 5.

mood
Publicité
Posté le 15-03-2007 à 18:19:08  profilanswer
 

n°895198
madsurfer
Boulet's eradicator
Posté le 15-03-2007 à 18:26:53  profilanswer
 

Voici le package installé :
 

Code :
  1. snort.i386                               2.6.1.1-4.fc6          installed     
  2. Matched from:
  3. snort
  4. Snort is a libpcap-based packet sniffer/logger which
  5. can be used as a lightweight network intrusion detection system.
  6. It features rules based logging and can perform protocol analysis,
  7. content searching/matching and can be used to detect a variety of
  8. attacks and probes, such as buffer overflows, stealth port scans,
  9. CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
  10. Snort has a real-time alerting capabilty, with alerts being sent to syslog,
  11. a seperate "alert" file, or as a WinPopup message via Samba's smbclient
  12. Edit /etc/snort.conf to configure snort and use snort.d to start snort
  13. This rpm is different from previous rpms and while it will not clobber
  14. your current snortd file, you will need to modify it.
  15. There are 9 different packages available
  16. All of them require the base snort rpm.  Additionally, you will need
  17. to chose a binary to install.
  18. /usr/sbin/snort should end up being a symlink to a binary in one of
  19. the following configurations:
  20. plain      plain+flexresp
  21. mysql      mysql+flexresp
  22. postgresql postgresql+flexresp
  23. snmp       snmp+flexresp
  24. bloat      mysql+postgresql+flexresp+snmp
  25. Please see the documentation in /usr/share/doc/snort-2.6.1.1
  26. There are no rules in this package  the license  they are released under forbids
  27. us from repackaging them  and redistributing them.


 
 
 
J'ai aussi effectué ce petit test
 

Code :
  1. [root@stpxfd2a dynamicpreprocessor]# snort -d -c /etc/snort/snort.conf --dynamic-preprocessor-lib-dir /usr/lib/snort_dynamicpreprocessor/
  2. Running in IDS mode
  3.         --== Initializing Snort ==--
  4. Initializing Output Plugins!
  5. Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
  6. Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
  7. Initializing Preprocessors!
  8. Initializing Plug-ins!
  9. Parsing Rules file /etc/snort/snort.conf
  10. +++++++++++++++++++++++++++++++++++++++++++++++++++
  11. Initializing rule chains...
  12. Var 'HOME_NET' defined, value len = 110 chars
  13.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  14. Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
  15. Var 'DNS_SERVERS' defined, value len = 14 chars, value = [XXXXXXXX]
  16. Var 'SMTP_SERVERS' defined, value len = 66 chars
  17.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  18. Var 'HTTP_SERVERS' defined, value len = 66 chars
  19.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  20. Var 'SQL_SERVERS' defined, value len = 110 chars
  21.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  22. Var 'TELNET_SERVERS' defined, value len = 110 chars
  23.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  24. Var 'SNMP_SERVERS' defined, value len = 110 chars
  25.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  26. Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
  27. Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
  28. Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
  29. Var 'AIM_SERVERS' defined, value len = 185 chars
  30.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  31. Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
  32. ,-----------[Flow Config]----------------------
  33. | Stats Interval:  0
  34. | Hash Method:     2
  35. | Memcap:          10485760
  36. | Rows  :          4099
  37. | Overhead Bytes:  16400(%0.16)
  38. `----------------------------------------------
  39. Frag3 global config:
  40.     Max frags: 65536
  41.     Fragment memory cap: 4194304 bytes
  42. Frag3 engine config:
  43.     Target-based policy: FIRST
  44.     Fragment timeout: 60 seconds
  45.     Fragment min_ttl:   1
  46.     Fragment ttl_limit: 5
  47.     Fragment Problems: 1
  48.     Bound Addresses: 0.0.0.0/0.0.0.0
  49. Stream4 config:
  50.     Stateful inspection: ACTIVE
  51.     Session statistics: INACTIVE
  52.     Session timeout: 30 seconds
  53.     Session memory cap: 8388608 bytes
  54.     Session count max: 8192 sessions
  55.     Session cleanup count: 5
  56.     State alerts: INACTIVE
  57.     Evasion alerts: INACTIVE
  58.     Scan alerts: INACTIVE
  59.     Log Flushed Streams: INACTIVE
  60.     MinTTL: 1
  61.     TTL Limit: 5
  62.     Async Link: 0
  63.     State Protection: 0
  64.     Self preservation threshold: 50
  65.     Self preservation period: 90
  66.     Suspend threshold: 200
  67.     Suspend period: 30
  68.     Enforce TCP State: INACTIVE 
  69.     Midstream Drop Alerts: INACTIVE
  70.     Allow Blocking of TCP Sessions in Inline: ACTIVE
  71.     Server Data Inspection Limit: -1
  72. WARNING /etc/snort/snort.conf(417) => flush_behavior set in config file, using old static flushpoints (0)
  73. Stream4_reassemble config:
  74.     Server reassembly: ACTIVE
  75.     Client reassembly: ACTIVE
  76.     Reassembler alerts: ACTIVE
  77.     Zero out flushed packets: INACTIVE
  78.     Flush stream on alert: INACTIVE
  79.     flush_data_diff_size: 500
  80.     Reassembler Packet Preferance : Favor Old
  81.     Packet Sequence Overlap Limit: -1
  82.     Flush behavior: Small (<255 bytes)
  83.     Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
  84.     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
  85. WARNING /etc/snort/snort.conf(454) => flush_behavior set in config file, using old static flushpoints (0)
  86. Stream4_reassemble config:
  87.     Server reassembly: INACTIVE
  88.     Client reassembly: ACTIVE
  89.     Reassembler alerts: ACTIVE
  90.     Zero out flushed packets: INACTIVE
  91.     Flush stream on alert: INACTIVE
  92.     flush_data_diff_size: 500
  93.     Reassembler Packet Preferance : Favor Old
  94.     Packet Sequence Overlap Limit: -1
  95.     Flush behavior: Small (<255 bytes)
  96.     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
  97.     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
  98. HttpInspect Config:
  99.     GLOBAL CONFIG
  100.       Max Pipeline Requests:    0
  101.       Inspection Type:          STATELESS
  102.       Detect Proxy Usage:       NO
  103.       IIS Unicode Map Filename: /etc/snort/unicode.map
  104.       IIS Unicode Map Codepage: 1252
  105.     DEFAULT SERVER CONFIG:
  106.       Server profile: All
  107.       Ports: 80 8080 8180
  108.       Flow Depth: 300
  109.       Max Chunk Length: 500000
  110.       Inspect Pipeline Requests: YES
  111.       URI Discovery Strict Mode: NO
  112.       Allow Proxy Usage: NO
  113.       Disable Alerting: NO
  114.       Oversize Dir Length: 500
  115.       Only inspect URI: NO
  116.       Ascii: YES alert: NO
  117.       Double Decoding: YES alert: YES
  118.       %U Encoding: YES alert: YES
  119.       Bare Byte: YES alert: YES
  120.       Base36: OFF
  121.       UTF 8: OFF
  122.       IIS Unicode: YES alert: YES
  123.       Multiple Slash: YES alert: NO
  124.       IIS Backslash: YES alert: NO
  125.       Directory Traversal: YES alert: NO
  126.       Web Root Traversal: YES alert: YES
  127.       Apache WhiteSpace: YES alert: NO
  128.       IIS Delimiter: YES alert: NO
  129.       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
  130.       Non-RFC Compliant Characters: NONE
  131.       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
  132. rpc_decode arguments:
  133.     Ports to decode RPC on: 111 32771
  134.     alert_fragments: INACTIVE
  135.     alert_large_fragments: ACTIVE
  136.     alert_incomplete: ACTIVE
  137.     alert_multiple_requests: ACTIVE
  138. Portscan Detection Config:
  139.     Detect Protocols:  TCP UDP ICMP IP
  140.     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
  141.     Sensitivity Level: Low
  142.     Memcap (in bytes): 10000000
  143.     Number of Nodes:   36900
  144. 5331 Snort rules read...
  145. 5331 Option Chains linked into 233 Chain Headers
  146. 0 Dynamic rules
  147. +++++++++++++++++++++++++++++++++++++++++++++++++++
  148. Tagged Packet Limit: 256
  149. +-----------------------[thresholding-config]----------------------------------
  150. | memory-cap : 1048576 bytes
  151. +-----------------------[thresholding-global]----------------------------------
  152. | none
  153. +-----------------------[thresholding-local]-----------------------------------
  154. | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
  155. | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2 
  156. | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2 
  157. | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10
  158. | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2 
  159. | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60
  160. | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
  161. | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
  162. | gen-id=1      sig-id=4984       type=Threshold tracking=src count=5   seconds=2 
  163. | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2 
  164. +-----------------------[suppression]------------------------------------------
  165. | none
  166. -------------------------------------------------------------------------------
  167. Rule application order: ->activation->dynamic->pass->drop->alert->log
  168. Log directory = /var/log/snort
  169. Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
  170. Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...


Warning: Directory /usr/lib/snort_dynamicpreprocessor/ does not exist!=> et oui nomal le répertoire n'existe pas sur mon systeme !!

Code :
  1. Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
  2. Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
  3.   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  4.   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
  5.   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
  6.   Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
  7. FTPTelnet Config:
  8.     GLOBAL CONFIG
  9.       Inspection Type: stateful
  10.       Check for Encrypted Traffic: YES alert: YES
  11.       Continue to check encrypted data: NO
  12.     TELNET CONFIG:
  13.       Ports: 23
  14.       Are You There Threshold: 200
  15.       Normalize: YES
  16.       Detect Anomalies: NO
  17.     FTP CONFIG:
  18.       FTP Server: default
  19.         Ports: 21
  20.         Check for Telnet Cmds: YES alert: YES
  21.         Identify open data channels: YES
  22.       FTP Client: default
  23.         Check for Bounce Attacks: YES alert: YES
  24.         Check for Telnet Cmds: YES alert: YES
  25.         Max Response Length: 256
  26. SMTP Config:
  27.       Ports: 25
  28.       Inspection Type:            STATEFUL
  29.       Normalize Spaces:           YES
  30.       Ignore Data:                NO
  31.       Ignore TLS Data:            NO
  32.       Ignore Alerts:              NO
  33.       Max Command Length:         0
  34.       Max Header Line Length:     0
  35.       Max Response Line Length:   0
  36.       X-Link2State Alert:         YES
  37.       Drop on X-Link2State Alert: NO
  38. /etc/snort/snort.conf(792) unknown dynamic preprocessor "dcerpc"
  39. DNS config:
  40.     DNS Client rdata txt Overflow Alert: ACTIVE
  41.     Obsolete DNS RR Types Alert: INACTIVE
  42.     Experimental DNS RR Types Alert: INACTIVE
  43.     Ports: 53
  44. ERROR: Misconfigured dynamic preprocessor(s)
  45. Fatal Error, Quitting..


Message édité par madsurfer le 15-03-2007 à 18:27:58
n°896121
madsurfer
Boulet's eradicator
Posté le 20-03-2007 à 07:21:15  profilanswer
 

[:macfly_fr]


Aller à :
Ajouter une réponse
  FORUM HardWare.fr
  Linux et OS Alternatifs
  réseaux et sécurité

  Configuration snort - probleme preprocessor

 

Sujets relatifs
[Debian] Carte SCSI + Carte SATA -> Problème :/Problème Récup données en utilisant linux (mandriva) sur pc portable
problème de mise en relation de linux avec domaine windowsProbleme avec Totem et Mplayer qui ne veulent plus rien lire.
Problème d'affichage (ATI)Probleme Fetchmail
serveur sun fire x2200 m2 : problème de boot[debian] problème de démarrage d'interface
Probleme installation driver NvidiaProbléme+postfix
Plus de sujets relatifs à : Configuration snort - probleme preprocessor


Copyright © 1997-2018 Hardware.fr SARL (Signaler un contenu illicite) / Groupe LDLC / Shop HFR