faq

入侵检测系统.linux下与MySql连用的例子

2.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Libpcap complains about permissions problems, what's going on?

A: You are either not running snort as root or your kernel
   is not configured correctly.
                                                                   
2.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort complain about /var/log/snort?

A: It requires this directory to log alerts to it.
   Use: mkdir /var/log/snort

2.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  I've got RedHat and ....

A:  Check your version of libpcap.  :) If it's not >= 0.5, then you should
    update.   

2.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where do I get the latest version of libpcap?

A: http://www.tcpdump.org/

2.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort complain about missing references?

A: You must make libpcap with the --install-incl option or install the 
   libpcap-devel rpm.

2.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort fail with errors about yylex and lex_init?

A: You need the lex and yacc tools or their gnu equivalents
   flex and bison installed.

2.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  I Want to build a snort box.  Will this <Insert List> handle <this much>
    traffic?

A:  That depends.  ;-)  Lower the number of rules is a standard performance
    increase.  Disable rules that you don't need or care about.  Etc...  There
    have been many discussions on 'tweaking performance' with lots of 'I handle
    XX mb with a ___ machine setup.' being said.  Look at some of the 
    discussions on snort-users

2.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are CIDR netmasks?

A: Excerpted from url: http://public.pacbell.net/dedicated/cidr.html


CIDR is a new addressing scheme for the Internet which allows for more i
efficient allocation of IP addresses than the old Class A, B, and C address 
scheme.
CIDR Block Prefix # Equivalent Class C # of Host Addresses
/27 1/8th of a Class C 32 hosts
/26 1/4th of a Class C 64 hosts
/25 1/2 of a Class C 128 hosts
/24 1 Class C 256 hosts
/23 2 Class C 512 hosts
/22 4 Class C 1,024 hosts
/21 8 Class C 2,048 hosts
/20 16 Class C 4,096 hosts
/19 32 Class C 8,192 hosts
/18 64 Class C 16,384 hosts
/17 128 Class C 32,768 hosts
/16 256 Class C 65,536 hosts (= 1 Class B)
/15 512 Class C 131,072 hosts
/14 1,024 Class C 262,144 hosts
/13 2,048 Class C 524,288 hosts

For more detailed technical information on CIDR, go to 
http://www.rfc-editor.org/rfcsearch.html and type in the number of the 
CIDR RFC you are interested in:

RFC 1517: Applicability Statement for the Implementation of CIDR
RFC 1518: An Architecture for IP Address Allocation with CIDR
RFC 1519: CIDR: An Address Assignment and Aggregation Strategy
RFC 1520: Exchanging Routing Information Across Provider Boundaries in the 
          CIDR Environment

2.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What is the use of the "-r" switch to read tcpdump files? 

A: Used in conjunction with a snort rules file, the tcpdump data can be
   analyzed for hostile content, port scans, or anything else Snort can be used
   to detect.  Snort can also just simply display the packets in their decoded
   format, which many people find is easier to read than native tcpdump
   output. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--



***************************************
Section 3: CONFIGURING SNORT
***************************************


3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  How do I setup snort on a 'stealth' interface?

A:  Bring up the interface without an IP address on it. See FAQ 3.2...
    http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
A:  Use an ethernet tap, or build your own 'receive-only' ethernet cable.
    http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm
A:  Anyway, here is the cable I use: 

    LAN Sniffer 
    1 -----\ /-- 1 
    2 ---\ | \-- 2 
    3 ---+-*------- 3 
    4 - | - 4 
    5 - | - 5 
    6 ---*-------- 6 
    7 - - 7 
    8 - - 8 
    
    Basically, 1 and 2 on the sniffer side are connected, 3 and 6 
    straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 
    6 respectively. This fakes a link on both ends but only allows 
    traffic from the LAN to the sniffer. It also causes the 'incoming' 
    traffic to be sent back to the LAN, so this cable only works well on 
    a hub. You can use it on a switch but you will get ...err... 
    interesting results. Since the switch receives the packets back in on 
    the port it sent them out, the MAC table gets confused and after a 
    short while devices start to drop off the switch. Works like a charm 
    on a hub though. 


3.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I run snort on an interface with no IP address?

A: ifconfig ethN up

3.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My network spans multiple subnets.  How do I define HOME_NET?

A: Snort 1.7 supports IP lists.  You can assign a number of addresses to
   a single variable.  For example:

     var HOME_NET [10.1.1.0/24,192.168.1.0/24]

   NOTE: Not all preprocessors support IP lists at this time.  Unless
   otherwise stated, assume that any preprocessor using an IP list variable
   will use the first value as the HOME_NET.  The portscan preprocessor
   is an example.  To catch all detectable portscans, pass 0.0.0.0/0 in
   as the first parameter.

   preprocessor portscan: 0.0.0.0/0 5 3 portscan.log

   Use the portscan-ignorhosts preprocessor to fine tune and ignore
   traffic from noisy, trusted machines.


3.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I run snort on multiple interfaces simultaneously.

A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)
    the only way is to run multiple instances of snort, one instance per
    interface. However for  linux 2.1.x/2.2.x and higher you can use libpcap
    library with S. Krahmer's patch which allows you to specify 'any' as 
    interface name. In this case snort will be able to process traffic 
    coming to all interfaces.

3.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: IP address is assigned dynamically to my interface, can I use snort with it?

A:  Yes.  With snort 1.7 and later, <interface>_ADDRESS variable is available.
    The value of this variable will be always set to IP address/Netmask of the
    interface which you run snort at. if interface goes down and up again (and
    an IP address is reassigned) you will have to restart snort. For earlier
    versions of snort numerous scripts to achieve the same result are
    available.

3.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I have one network card and two aliases, how can I force snort to "listen"
   on both addresses ? 


A: If you're using at least version 1.7, you can specify an IP list like
   this:

	var HOME_NET [192.168.<your-IP>/24,<Internet address>/32]

   If you're using something older (version 1.6.3-patch2 or whatever) you can
   re-specify the HOME_NET variable multiple times like this (for example):

	var HOME_NET 10.1.1.0/24

	include scan-lib
	etc.

	var HOME_NET 192.168.1.0/24

	include scan-lib
	etc.

3.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I ignore traffic coming from a particular host or hosts?

A: Write pass rules and add the host(s) to the portscan-ignorehosts list.
   Call Snort with the -o option to activate the pass rules.
   See http://www.snort.org/writing_snort_rules.htm for more information.

3.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I get Snort to log the packet payload as well as the header? 

A: Use the "-d" command line option.  

3.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why are there no subdirectories under /var/log/snort for IP addresses?

A: It depends on how your snort configuration logs. If it logs in binary
   format, you'll have to process the binary log in order to get cleartext

3.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you get snort to ignore some traffic?

A1: Specify bpf filters on the command line the tcpdump man page
    has a description of bpf filters.
A2: Use a pass rule
A3: The portscan preprocessor has it's own special exclusion list
    with the portscan-ignorehosts.rules file directive


3.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the portscan plugin log "stealth" packets even though the
   host is in the portscan-ignorehosts list?

A: These types of tcp packets are inherently suspicious, no matter where
   they are coming from.  The portscan detector was built with the assumption
   that "stealth" packets should be reported, even from hosts which are not
   monitored for portscanning.  An option to ignore "stealth" packets may be
   added in the future.


3.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Which takes precedence, commandline or rule file ?

A: The command line always gets precedence over the rules file.  If people
   want to try stuff out quickly without having to manually edit the rules
   file, they should be able to override many things from the command
   line.  


3.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How does rule ordering work?

A: Marty has answered this many times on the snort-users mailing list.  Here is
   an excerpt from a post on Thu, 22 Feb 2001 00:31:53 -0500, titled "Re: 
   [Snort-users] order of evaluation of rules"

Currently, the data structures that store Snort rule data are the
RuleTreeNodes (RTN) and the OptTreeNodes (OTN).  These data structs are
stored in a two dimensinal linked list structure with the RTNs forming
the top row of the "Array" and the OTNs forming the columns under the
RTNs.  Here's an ASCII illustration from the infamous "lisapaper":

  RTN                   RTN                    RTN           
  --------------        --------------         -----
 | Chain Header |      | Chain Header |      | Chai
 |              |      |              |      |
 | Src IP       |      | Src IP       |      | Src
 | Dst IP       |----->| Dst IP       |----->| Dst   .....
 | Src Port     |      | Src Port     |      | Src
 | Dst Port     |      | Dst Port     |      | Dst
 |              |      |              |      |
  --------------        --------------         -----
         |                     |
         |                     |
         |                     |
  OTN   \|/            OTN    \|/
  -------V------       --------V-------
 | Chain Option  |    | Chain Option   |
 |               |    |        :       |
 | Content       |             :
 | TCP Flags     |             :
 | ICMP Data     |
 | Payload Size  |
 | etc.          |
 |               |
  --------------- 
         |
         |
         |
   OTN  \|/
  -------V------
 | Chain Option |
 |              |
 | Content      |
 | TCP Flags    |
 | ICMP data    |
 | Payload Size |
 | etc.         |
 |              |
  -------------- 
         |
         |
 
Rules with similar rule headers (i.e. all the CGI rules, the old stealth
port scan detection rules, most of the rules that focus on any single
service, etc) are grouped under a single RTN for the sake of efficiency
and the applicable OTNs are hung below them.  For instance, if you have
three rules like this:

alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)
alert tcp any any -> $HOME 80 (content: "bar"; msg: "bar";)
alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)

They all get grouped under the same RTN and the OTNs are "hung" beneath
them like this:

  RTN
 --------------------
|  SIP: any          |
|  SP: any           |
|  DIP: $HOME        |
|  DP: 80            |
 -------------------- 
          |
          |
  OTN    \|/  
 ---------v----------
| content: foo       |