Forum |  HardWare.fr | News | Articles | PC | S'identifier | S'inscrire | Shop Recherche
1533 connectés 

  FORUM HardWare.fr
  Linux et OS Alternatifs
  réseaux et sécurité

  Configuration snort - probleme preprocessor

 
 


 Mot :   Pseudo :  
 
Bas de page
Auteur Sujet :

Configuration snort - probleme preprocessor

n°895192
madsurfer
Boulet's eradicator
Posté le 15-03-2007 à 18:19:08  profilanswer
 

:hello:  
 
J'essai désespérament de faire fonctionner snort sous une Fedora Core 6.
J'ai installé le package à partir de yum et j'obtiens cette erreur lorsque je lance le service.
"libdynamicexample.so", le répertoire snort_dynamicrule/ n'existe pas sur ma machine....
 
J'ai raté quelque chose ?
 
Merci d'avance pour votre aide  :jap:  
 

Code :
  1. Mar 15 18:07:42 test snort[32017]: +-----------------------[thresholding-config]----------------------------------
  2. Mar 15 18:07:42 test snort[32017]: | memory-cap : 1048576 bytes
  3. Mar 15 18:07:42 test snort[32017]: +-----------------------[thresholding-global]----------------------------------
  4. Mar 15 18:07:42 test snort[32017]: | none
  5. Mar 15 18:07:42 test snort[32017]: +-----------------------[thresholding-local]-----------------------------------
  6. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2 
  7. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2 
  8. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60 
  9. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60 
  10. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2 
  11. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=4984       type=Threshold tracking=src count=5   seconds=2 
  12. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10 
  13. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60 
  14. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60 
  15. Mar 15 18:07:42 test snort[32017]: | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2 
  16. Mar 15 18:07:42 test snort[32017]: +-----------------------[suppression]------------------------------------------
  17. Mar 15 18:07:42 test snort[32017]: | none
  18. Mar 15 18:07:42 test snort[32017]: -------------------------------------------------------------------------------
  19. Mar 15 18:07:42 test snort[32017]: Rule application order: ->activation->dynamic->pass->drop->alert->log
  20. Mar 15 18:07:42 test snort[32017]: Log directory = /var/log/snort
  21. Mar 15 18:07:42 test snort[32017]: Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so...
  22. Mar 15 18:07:42 test snort[32017]: done
  23. Mar 15 18:07:42 test snort[32017]: Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
  24. Mar 15 18:07:42 test snort[32017]:   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so...  
  25. Mar 15 18:07:42 test snort[32017]: done
  26. Mar 15 18:07:42 test snort[32017]:   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so...  
  27. Mar 15 18:07:42 test snort[32017]: done
  28. Mar 15 18:07:42 test snort[32017]:   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so...  
  29. Mar 15 18:07:42 test snort[32017]: done
  30. Mar 15 18:07:42 test snort[32017]:   Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
  31. Mar 15 18:07:42 test snort[32017]: FTPTelnet Config:
  32. Mar 15 18:07:42 test snort[32017]:     GLOBAL CONFIG
  33. Mar 15 18:07:42 test snort[32017]:       Inspection Type: stateful
  34. Mar 15 18:07:42 test snort[32017]:       Check for Encrypted Traffic: YES alert: YES
  35. Mar 15 18:07:42 test snort[32017]:       Continue to check encrypted data: NO
  36. Mar 15 18:07:42 test snort[32017]:     TELNET CONFIG:
  37. Mar 15 18:07:42 test snort[32017]:       Ports: 23 
  38. Mar 15 18:07:42 test snort[32017]:       Are You There Threshold: 200
  39. Mar 15 18:07:42 test snort[32017]:       Normalize: YES
  40. Mar 15 18:07:42 test snort[32017]:       Detect Anomalies: NO
  41. Mar 15 18:07:42 test snort[32017]:     FTP CONFIG:
  42. Mar 15 18:07:42 test snort[32017]:       FTP Server: default
  43. Mar 15 18:07:42 test snort[32017]:         Ports: 21 
  44. Mar 15 18:07:42 test snort[32017]:         Check for Telnet Cmds: YES alert: YES
  45. Mar 15 18:07:42 test snort[32017]:         Identify open data channels: YES
  46. Mar 15 18:07:42 test snort[32017]:       FTP Client: default
  47. Mar 15 18:07:42 test snort[32017]:         Check for Bounce Attacks: YES alert: YES
  48. Mar 15 18:07:42 test snort[32017]:         Check for Telnet Cmds: YES alert: YES
  49. Mar 15 18:07:42 test snort[32017]:         Max Response Length: 256
  50. Mar 15 18:07:42 test snort[32017]: SMTP Config:
  51. Mar 15 18:07:42 test snort[32017]:       Ports:
  52. Mar 15 18:07:42 test snort[32017]: 25
  53. Mar 15 18:07:42 test snort[32017]: 
  54. Mar 15 18:07:42 test snort[32017]:       Inspection Type:            STATEFUL
  55. Mar 15 18:07:42 test snort[32017]:       Normalize Spaces:           YES
  56. Mar 15 18:07:42 test snort[32017]:       Ignore Data:                NO
  57. Mar 15 18:07:42 test snort[32017]:       Ignore TLS Data:            NO
  58. Mar 15 18:07:42 test snort[32017]:       Ignore Alerts:              NO
  59. Mar 15 18:07:42 test snort[32017]:       Max Command Length:         0
  60. Mar 15 18:07:42 test snort[32017]:       Max Header Line Length:     0
  61. Mar 15 18:07:42 test snort[32017]:       Max Response Line Length:   0
  62. Mar 15 18:07:42 test snort[32017]:       X-Link2State Alert:         YES
  63. Mar 15 18:07:42 test snort[32017]:       Drop on X-Link2State Alert: NO
  64. Mar 15 18:07:42 test snort[32017]: /etc/snort/snort.conf(792) unknown dynamic preprocessor "dcerpc"
  65. Mar 15 18:07:42 test snort[32017]: DNS config: 
  66. Mar 15 18:07:42 test snort[32017]:     DNS Client rdata txt Overflow Alert: ACTIVE
  67. Mar 15 18:07:42 test snort[32017]:     Obsolete DNS RR Types Alert: INACTIVE
  68. Mar 15 18:07:42 test snort[32017]:     Experimental DNS RR Types Alert: INACTIVE
  69. Mar 15 18:07:42 test snort[32017]:     Ports:
  70. Mar 15 18:07:42 test snort[32017]:  53
  71. Mar 15 18:07:42 test snort[32017]: 
  72. Mar 15 18:07:42 test snort[32017]: FATAL ERROR: Misconfigured dynamic preprocessor(s)


 
 
Voici le morceau de mon snort.conf qui fait reference aux préprocesseurs  
Par défaut certaines librairie snort était dans /usr/lib/.... j'ai fais la modification pour celle qui étaient présentent.
 

Code :
  1. ###################################################
  2. # Step #2: Configure dynamic loaded libraries
  3. #
  4. # If snort was configured to use dynamically loaded libraries,
  5. # those libraries can be loaded here.
  6. #
  7. # Each of the following configuration options can be done via
  8. # the command line as well.
  9. #
  10. # Load all dynamic preprocessors from the install path
  11. # (same as command line option --dynamic-preprocessor-lib-dir)
  12. #
  13. dynamicpreprocessor directory /usr/lib/snort/dynamicpreprocessor/
  14. #
  15. # Load a specific dynamic preprocessor library from the install path
  16. # (same as command line option --dynamic-preprocessor-lib)
  17. #
  18. # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
  19. #
  20. # Load a dynamic engine from the install path
  21. # (same as command line option --dynamic-engine-lib)
  22. #
  23. # TEST - IL S'AGIRAIT D'UN BUG DU PACKAFE FEDORA - http://ftp.iasi.roedu.net/mirrors/ [...] -3402.html
  24. #dynamicengine /usr/lib/dynamicengine/libsf_engine.so
  25. dynamicengine /usr/lib/snort/dynamicengine/libsf_engine.so
  26. #
  27. # Load all dynamic rules libraries from the install path
  28. # (same as command line option --dynamic-detection-lib-dir)
  29. #
  30. # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
  31. #
  32. # Load a specific dynamic rule library from the install path
  33. # (same as command line option --dynamic-detection-lib)
  34. #
  35. # dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
  36. #
  37. #
  39. ###################################################
  40. # Step #3: Configure preprocessors
  41. #
  42. # General configuration for preprocessors is of
  43. # the form
  44. # preprocessor <name_of_processor>: <configuration_options>
  46. # Configure Flow tracking module
  47. # -------------------------------
  48. #
  49. # The Flow tracking module is meant to start unifying the state keeping
  50. # mechanisms of snort into a single place. Right now, only a portscan detector
  51. # is implemented but in the long term,  many of the stateful subsystems of
  52. # snort will be migrated over to becoming flow plugins. This must be enabled
  53. # for flow-portscan to work correctly.
  54. #
  55. # See README.flow for additional information
  56. #
  57. preprocessor flow: stats_interval 0 hash 2
  59. # frag2: IP defragmentation support
  60. # -------------------------------
  61. # This preprocessor performs IP defragmentation.  This plugin will also detect
  62. # people launching fragmentation attacks (usually DoS) against hosts.  No
  63. # arguments loads the default configuration of the preprocessor, which is a 60
  64. # second timeout and a 4MB fragment buffer.
  66. # The following (comma delimited) options are available for frag2
  67. #    timeout [seconds] - sets the number of [seconds] that an unfinished
  68. #                        fragment will be kept around waiting for completion,
  69. #                        if this time expires the fragment will be flushed
  70. #    memcap [bytes] - limit frag2 memory usage to [number] bytes
  71. #                      (default:  4194304)
  72. #
  73. #    min_ttl [number] - minimum ttl to accept
  74. #
  75. #    ttl_limit [number] - difference of ttl to accept without alerting
  76. #                         will cause false positves with router flap
  77. #
  78. # Frag2 uses Generator ID 113 and uses the following SIDS
  79. # for that GID:
  80. #  SID     Event description
  81. # -----   -------------------
  82. #   1       Oversized fragment (reassembled frag > 64k bytes)
  83. #   2       Teardrop-type attack
  85. #preprocessor frag2
  87. # frag3: Target-based IP defragmentation
  88. # --------------------------------------
  89. #
  90. # Frag3 is a brand new IP defragmentation preprocessor that is capable of
  91. # performing "target-based" processing of IP fragments.  Check out the
  92. # README.frag3 file in the doc directory for more background and configuration
  93. # information.
  94. #
  95. # Frag3 configuration is a two step process, a global initialization phase
  96. # followed by the definition of a set of defragmentation engines.
  97. #
  98. # Global configuration defines the number of fragmented packets that Snort can
  99. # track at the same time and gives you options regarding the memory cap for the
  100. # subsystem or, optionally, allows you to preallocate all the memory for the
  101. # entire frag3 system.
  102. #
  103. # frag3_global options:
  104. #   max_frags: Maximum number of frag trackers that may be active at once.
  105. #              Default value is 8192.
  106. #   memcap: Maximum amount of memory that frag3 may access at any given time.
  107. #           Default value is 4MB.
  108. #   prealloc_frags: Maximum number of individual fragments that may be processed
  109. #                   at once.  This is instead of the memcap system, uses static
  110. #                   allocation to increase performance.  No default value.  Each
  111. #                   preallocated fragment eats ~1550 bytes.
  112. #
  113. # Target-based behavior is attached to an engine as a "policy" for handling
  114. # overlaps and retransmissions as enumerated in the Paxson paper.  There are
  115. # currently five policy types available: "BSD", "BSD-right", "First", "Linux"
  116. # and "Last".  Engines can be bound to bound to standard Snort CIDR blocks or
  117. # IP lists.
  118. #
  119. # frag3_engine options:
  120. #   timeout: Amount of time a fragmented packet may be active before expiring.
  121. #            Default value is 60 seconds.
  122. #   ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
  123. #              Based on the initial received fragment TTL.
  124. #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
  125. #            value will be discarded.  Default value is 0.
  126. #   detect_anomalies: Activates frag3's anomaly detection mechanisms.
  127. #   policy: Target-based policy to assign to this engine.  Default is BSD.
  128. #   bind_to: IP address set to bind this engine to.  Default is all hosts.
  129. #
  130. # Frag3 configuration example:
  131. #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
  132. #preprocessor frag3_engine: policy linux \
  133. #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
  134. #                           detect_anomalies
  135. #preprocessor frag3_engine: policy first \
  136. #                           bind_to 10.2.1.0/24 \
  137. #                           detect_anomalies
  138. #preprocessor frag3_engine: policy last \
  139. #                           bind_to 10.3.1.0/24
  140. #preprocessor frag3_engine: policy bsd
  142. preprocessor frag3_global: max_frags 65536
  143. preprocessor frag3_engine: policy first detect_anomalies
  146. # stream4: stateful inspection/stream reassembly for Snort
  147. #----------------------------------------------------------------------
  148. # Use in concert with the -z [all|est] command line switch to defeat stick/snot
  149. # against TCP rules.  Also performs full TCP stream reassembly, stateful
  150. # inspection of TCP streams, etc.  Can statefully detect various portscan
  151. # types, fingerprinting, ECN, etc.
  153. # stateful inspection directive
  154. search hit BOTTOM, continuing at TOP
  155. # no arguments loads the defaults (timeout 30, memcap 8388608)
  156. # options (options are comma delimited):
  157. #   detect_scans - stream4 will detect stealth portscans and generate alerts
  158. #                  when it sees them when this option is set
  159. #   detect_state_problems - detect TCP state problems, this tends to be very
  160. #                           noisy because there are a lot of crappy ip stack
  161. #                           implementations out there
  162. #
  163. #   disable_evasion_alerts - turn off the possibly noisy mitigation of
  164. #                            overlapping sequences.
  165. #
  166. #   ttl_limit [number]     - differential of the initial ttl on a session versus
  167. #                             the normal that someone may be playing games.
  168. #                             Routing flap may cause lots of false positives.
  169. #
  170. #   keepstats [machine|binary] - keep session statistics, add "machine" to
  171. #                         get them in a flat format for machine reading, add
  172. #                         "binary" to get them in a unified binary output
  173. #                         format
  174. #   noinspect - turn off stateful inspection only
  175. #   timeout [number] - set the session timeout counter to [number] seconds,
  176. #                      default is 30 seconds
  177. #   max_sessions [number] - limit the number of sessions stream4 keeps
  178. #                         track of
  179. #   memcap [number] - limit stream4 memory usage to [number] bytes (does
  180. #                     not include session tracking, which is set by the
  181. #                     max_sessions option)
  182. #   log_flushed_streams - if an event is detected on a stream this option will
  183. #                         cause all packets that are stored in the stream4
  184. #                         packet buffers to be flushed to disk.  This only
  185. #                         works when logging in pcap mode!
  186. #   server_inspect_limit [bytes] - Byte limit on server side inspection.
  187. #   enable_udp_sessions - turn on tracking of "sessions" over UDP.  Requires
  188. #                         configure --enable-stream4udp.  UDP sessions are
  189. #                         only created when there is a rule for the sender or
  190. #                         responder that has a flow or flowbits keyword.
  191. #   max_udp_sessions [number] - limit the number of simultaneous UDP sessions
  192. #                               to track
  193. #   udp_ignore_any - Do not inspect UDP packets unless there is a port specific
  194. #                    rule for a given port.  This is a performance improvement
  195. #                    and turns off inspection for udp xxx any -> xxx any rules
  196. #   cache_clean_sessions [number] - Cleanup the session cache by number sessions
  197. #                                   at a time.  The larger the value, the
  198. #                                   more sessions are purged from the cache when
  199. #                                   the session limit or memcap is reached.
  200. #                                   Defaults to 5.

mood
Publicité
Posté le 15-03-2007 à 18:19:08  profilanswer
 

n°895198
madsurfer
Boulet's eradicator
Posté le 15-03-2007 à 18:26:53  profilanswer
 

Voici le package installé :
 

Code :
  1. snort.i386                               2.6.1.1-4.fc6          installed     
  2. Matched from:
  3. snort
  4. Snort is a libpcap-based packet sniffer/logger which
  5. can be used as a lightweight network intrusion detection system.
  6. It features rules based logging and can perform protocol analysis,
  7. content searching/matching and can be used to detect a variety of
  8. attacks and probes, such as buffer overflows, stealth port scans,
  9. CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
  10. Snort has a real-time alerting capabilty, with alerts being sent to syslog,
  11. a seperate "alert" file, or as a WinPopup message via Samba's smbclient
  13. Edit /etc/snort.conf to configure snort and use snort.d to start snort
  15. This rpm is different from previous rpms and while it will not clobber
  16. your current snortd file, you will need to modify it.
  18. There are 9 different packages available
  20. All of them require the base snort rpm.  Additionally, you will need
  21. to chose a binary to install.
  23. /usr/sbin/snort should end up being a symlink to a binary in one of
  24. the following configurations:
  26. plain      plain+flexresp
  27. mysql      mysql+flexresp
  28. postgresql postgresql+flexresp
  29. snmp       snmp+flexresp
  30. bloat      mysql+postgresql+flexresp+snmp
  32. Please see the documentation in /usr/share/doc/snort-2.6.1.1
  34. There are no rules in this package  the license  they are released under forbids
  35. us from repackaging them  and redistributing them.


 
 
 
J'ai aussi effectué ce petit test
 

Code :
  1. [root@stpxfd2a dynamicpreprocessor]# snort -d -c /etc/snort/snort.conf --dynamic-preprocessor-lib-dir /usr/lib/snort_dynamicpreprocessor/
  2. Running in IDS mode
  4.         --== Initializing Snort ==--
  5. Initializing Output Plugins!
  6. Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
  7. Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
  8. Initializing Preprocessors!
  9. Initializing Plug-ins!
  10. Parsing Rules file /etc/snort/snort.conf
  12. +++++++++++++++++++++++++++++++++++++++++++++++++++
  13. Initializing rule chains...
  14. Var 'HOME_NET' defined, value len = 110 chars
  15.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  16. Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
  17. Var 'DNS_SERVERS' defined, value len = 14 chars, value = [XXXXXXXX]
  18. Var 'SMTP_SERVERS' defined, value len = 66 chars
  19.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  20. Var 'HTTP_SERVERS' defined, value len = 66 chars
  21.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  22. Var 'SQL_SERVERS' defined, value len = 110 chars
  23.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  24. Var 'TELNET_SERVERS' defined, value len = 110 chars
  25.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  26. Var 'SNMP_SERVERS' defined, value len = 110 chars
  27.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  28. Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
  29. Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
  30. Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
  31. Var 'AIM_SERVERS' defined, value len = 185 chars
  32.    [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
  33. Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
  34. ,-----------[Flow Config]----------------------
  35. | Stats Interval:  0
  36. | Hash Method:     2
  37. | Memcap:          10485760
  38. | Rows  :          4099
  39. | Overhead Bytes:  16400(%0.16)
  40. `----------------------------------------------
  41. Frag3 global config:
  42.     Max frags: 65536
  43.     Fragment memory cap: 4194304 bytes
  44. Frag3 engine config:
  45.     Target-based policy: FIRST
  46.     Fragment timeout: 60 seconds
  47.     Fragment min_ttl:   1
  48.     Fragment ttl_limit: 5
  49.     Fragment Problems: 1
  50.     Bound Addresses: 0.0.0.0/0.0.0.0
  51. Stream4 config:
  52.     Stateful inspection: ACTIVE
  53.     Session statistics: INACTIVE
  54.     Session timeout: 30 seconds
  55.     Session memory cap: 8388608 bytes
  56.     Session count max: 8192 sessions
  57.     Session cleanup count: 5
  58.     State alerts: INACTIVE
  59.     Evasion alerts: INACTIVE
  60.     Scan alerts: INACTIVE
  61.     Log Flushed Streams: INACTIVE
  62.     MinTTL: 1
  63.     TTL Limit: 5
  64.     Async Link: 0
  65.     State Protection: 0
  66.     Self preservation threshold: 50
  67.     Self preservation period: 90
  68.     Suspend threshold: 200
  69.     Suspend period: 30
  70.     Enforce TCP State: INACTIVE 
  71.     Midstream Drop Alerts: INACTIVE
  72.     Allow Blocking of TCP Sessions in Inline: ACTIVE
  73.     Server Data Inspection Limit: -1
  74. WARNING /etc/snort/snort.conf(417) => flush_behavior set in config file, using old static flushpoints (0)
  75. Stream4_reassemble config:
  76.     Server reassembly: ACTIVE
  77.     Client reassembly: ACTIVE
  78.     Reassembler alerts: ACTIVE
  79.     Zero out flushed packets: INACTIVE
  80.     Flush stream on alert: INACTIVE
  81.     flush_data_diff_size: 500
  82.     Reassembler Packet Preferance : Favor Old
  83.     Packet Sequence Overlap Limit: -1
  84.     Flush behavior: Small (<255 bytes)
  85.     Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
  86.     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
  87. WARNING /etc/snort/snort.conf(454) => flush_behavior set in config file, using old static flushpoints (0)
  88. Stream4_reassemble config:
  89.     Server reassembly: INACTIVE
  90.     Client reassembly: ACTIVE
  91.     Reassembler alerts: ACTIVE
  92.     Zero out flushed packets: INACTIVE
  93.     Flush stream on alert: INACTIVE
  94.     flush_data_diff_size: 500
  95.     Reassembler Packet Preferance : Favor Old
  96.     Packet Sequence Overlap Limit: -1
  97.     Flush behavior: Small (<255 bytes)
  98.     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
  99.     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
  100. HttpInspect Config:
  101.     GLOBAL CONFIG
  102.       Max Pipeline Requests:    0
  103.       Inspection Type:          STATELESS
  104.       Detect Proxy Usage:       NO
  105.       IIS Unicode Map Filename: /etc/snort/unicode.map
  106.       IIS Unicode Map Codepage: 1252
  107.     DEFAULT SERVER CONFIG:
  108.       Server profile: All
  109.       Ports: 80 8080 8180
  110.       Flow Depth: 300
  111.       Max Chunk Length: 500000
  112.       Inspect Pipeline Requests: YES
  113.       URI Discovery Strict Mode: NO
  114.       Allow Proxy Usage: NO
  115.       Disable Alerting: NO
  116.       Oversize Dir Length: 500
  117.       Only inspect URI: NO
  118.       Ascii: YES alert: NO
  119.       Double Decoding: YES alert: YES
  120.       %U Encoding: YES alert: YES
  121.       Bare Byte: YES alert: YES
  122.       Base36: OFF
  123.       UTF 8: OFF
  124.       IIS Unicode: YES alert: YES
  125.       Multiple Slash: YES alert: NO
  126.       IIS Backslash: YES alert: NO
  127.       Directory Traversal: YES alert: NO
  128.       Web Root Traversal: YES alert: YES
  129.       Apache WhiteSpace: YES alert: NO
  130.       IIS Delimiter: YES alert: NO
  131.       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
  132.       Non-RFC Compliant Characters: NONE
  133.       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
  134. rpc_decode arguments:
  135.     Ports to decode RPC on: 111 32771
  136.     alert_fragments: INACTIVE
  137.     alert_large_fragments: ACTIVE
  138.     alert_incomplete: ACTIVE
  139.     alert_multiple_requests: ACTIVE
  140. Portscan Detection Config:
  141.     Detect Protocols:  TCP UDP ICMP IP
  142.     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
  143.     Sensitivity Level: Low
  144.     Memcap (in bytes): 10000000
  145.     Number of Nodes:   36900
  147. 5331 Snort rules read...
  148. 5331 Option Chains linked into 233 Chain Headers
  149. 0 Dynamic rules
  150. +++++++++++++++++++++++++++++++++++++++++++++++++++
  152. Tagged Packet Limit: 256
  154. +-----------------------[thresholding-config]----------------------------------
  155. | memory-cap : 1048576 bytes
  156. +-----------------------[thresholding-global]----------------------------------
  157. | none
  158. +-----------------------[thresholding-local]-----------------------------------
  159. | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
  160. | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2 
  161. | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2 
  162. | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10
  163. | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2 
  164. | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60
  165. | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
  166. | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
  167. | gen-id=1      sig-id=4984       type=Threshold tracking=src count=5   seconds=2 
  168. | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2 
  169. +-----------------------[suppression]------------------------------------------
  170. | none
  171. -------------------------------------------------------------------------------
  172. Rule application order: ->activation->dynamic->pass->drop->alert->log
  173. Log directory = /var/log/snort
  174. Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
  175. Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...


Warning: Directory /usr/lib/snort_dynamicpreprocessor/ does not exist!=> et oui nomal le répertoire n'existe pas sur mon systeme !!

Code :
  1. Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
  2. Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
  3.   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  4.   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
  5.   Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
  6.   Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
  7. FTPTelnet Config:
  8.     GLOBAL CONFIG
  9.       Inspection Type: stateful
  10.       Check for Encrypted Traffic: YES alert: YES
  11.       Continue to check encrypted data: NO
  12.     TELNET CONFIG:
  13.       Ports: 23
  14.       Are You There Threshold: 200
  15.       Normalize: YES
  16.       Detect Anomalies: NO
  17.     FTP CONFIG:
  18.       FTP Server: default
  19.         Ports: 21
  20.         Check for Telnet Cmds: YES alert: YES
  21.         Identify open data channels: YES
  22.       FTP Client: default
  23.         Check for Bounce Attacks: YES alert: YES
  24.         Check for Telnet Cmds: YES alert: YES
  25.         Max Response Length: 256
  26. SMTP Config:
  27.       Ports: 25
  28.       Inspection Type:            STATEFUL
  29.       Normalize Spaces:           YES
  30.       Ignore Data:                NO
  31.       Ignore TLS Data:            NO
  32.       Ignore Alerts:              NO
  33.       Max Command Length:         0
  34.       Max Header Line Length:     0
  35.       Max Response Line Length:   0
  36.       X-Link2State Alert:         YES
  37.       Drop on X-Link2State Alert: NO
  38. /etc/snort/snort.conf(792) unknown dynamic preprocessor "dcerpc"
  39. DNS config:
  40.     DNS Client rdata txt Overflow Alert: ACTIVE
  41.     Obsolete DNS RR Types Alert: INACTIVE
  42.     Experimental DNS RR Types Alert: INACTIVE
  43.     Ports: 53
  44. ERROR: Misconfigured dynamic preprocessor(s)
  45. Fatal Error, Quitting..


Message édité par madsurfer le 15-03-2007 à 18:27:58
n°896121
madsurfer
Boulet's eradicator
Posté le 20-03-2007 à 07:21:15  profilanswer
 

[:macfly_fr]


Aller à :
Ajouter une réponse
  FORUM HardWare.fr
  Linux et OS Alternatifs
  réseaux et sécurité

  Configuration snort - probleme preprocessor

 

Sujets relatifs
[Debian] Carte SCSI + Carte SATA -> Problème :/Problème Récup données en utilisant linux (mandriva) sur pc portable
problème de mise en relation de linux avec domaine windowsProbleme avec Totem et Mplayer qui ne veulent plus rien lire.
Problème d'affichage (ATI)Probleme Fetchmail
serveur sun fire x2200 m2 : problème de boot[debian] problème de démarrage d'interface
Probleme installation driver NvidiaProbléme+postfix
Plus de sujets relatifs à : Configuration snort - probleme preprocessor

Forum MesDiscussions.Net, Version 2010.2
(c) 2000-2011 Doctissimo
Page générée en 0.258 secondes

Copyright © 1997-2022 Hardware.fr SARL (Signaler un contenu illicite / Données personnelles) / Groupe LDLC / Shop HFR