📄 win32_faq.txt
字号:
SNORT FAQ Version 1.7 - January 04 2001 v1.7.3
Suggestions for enhancements of this document are
always welcome please email them to Dragos Ruiu at
dr@kyx.net
The following people have contributed to this faq:
Marty Roesch
Fyodor Yarochkin
Dragos Ruiu
Jed Pickel
Max Vision
Michael Davis
Joe McAlerney
Joe Stewart
Erek Adams
Roman Danyliw
Christopher Cramer
Frequently Asked Questions about "snort"
Q: How do you pronounce the names of some of these guys who work on snort?
Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?
Q: How do I run snort?
Q: Why does snort-win32 complain that it is missing packet.dll?
Q: Where are my log files located? What are they named?
Q: Where's a good place to physically put a Snort sensor?
Q: I'm on a switched network, can I still use Snort?
Q: I'm getting large amounts of . What should I do? Where
can I go to find out more about it?
Q: What about all these false alarms?
Q: What are all these ICMP files in subdirectories under /var/log/snort?
Q: My network spans multiple subnets. How do I define HOME_NET?
Q: I have one network card and two aliases, how can I force snort to "listen"
on both addresses ?
Q: How do I ignore traffic coming from a particular host or hosts?
Q. Why does the portscan plugin log "stealth" packets even though the
host is in the portscan-ignorehosts list?
Q: Why are there no subdirectories under /var/log/snort for IP addresses?
Q: How do I run snort on an interface with no IP address?
Q: Libpcap complains about permissions problems, what's going on?
Q: Why does snort complain about /var/log/snort?
Q: How do you get snort to ignore some traffic?
Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
Q: I think I found a bug in snort. Now what?
Q: Does Snort handle IP defragmentation?
Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?
Q: I've got RedHat and ....
Q: How do I setup snort on a 'stealth' interface?
Q: I Want to build a snort box. Will this handle traffic?
Q: What are CIDR netmasks?
Q: Where do I get the latest version of libpcap?
Q: What are these IDS codes in the alert names?
Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
Q: What about "CGI Null Byte attacks"?
Q: Where can I get more reading and courses about IDS?
Q: How do I log to multiple databases?
Q: What are all these "ICMP destination unreachable" alerts?
Q: Why does building snort complain about missing references?
Q: Why does building snort fail with errors about yylex and lex_init?
Q: What is the use of the "-r" switch to read tcpdump files?
Q: How do I get Snort to log the packet payload as well as the header?
Q: Does Snort log the full packets that it generates alerts on?
Q: Why does the program generate alerts on packets that have pass rules?
Q: Does Snort perform TCP stream reassembly?
Q: SMB alerts aren't working, what's wrong?
Q: How can I test snort without having an ethnernet card or a connection to
other computers?
Q: I'm having problems getting snort to log to a database...
Q: Where do I get more help on snort?
Q: How to start snort as a win32 service?
Q: How do I process those snort logs into HTML reports?
Q: Why do certain alerts seem to have 'unknown' IPs in ACID?
Q: Why does the 'error deleting alert' message occur when attempting to delete
an alert with ACID?
Q: ACID appears to be broken in Lynx
Q: Can priorities be assigned to Alerts using ACID?
Q: My ACID db connection times-out when performing long operations (e.g.
deleting a large number of alerts)
Q: Why does snort report "Packet loss statistics are unavailable under Linux"?
Q: What the heck is a SYNFIN scan?
Q: What about 'SMB Name Wildcard' alerts?
Q: Which takes precedence, commandline or rule file ?
Q: My /var/log/snort directory gets very large.....
Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?
Q: How can I run snort on multiple interfaces simultaneously.
Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong.
Q: IP address is assigned dynamically to my interface, can I use snort with it?
Q: On HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument
Q: I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong?
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you pronounce the names of some of these guys who work on snort?
A: For the record, 'Roesch' is pronounced like 'fresh' without the 'f'.
Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc'. And
Jed's last name is like "pick-el", not "pickle". :)
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?
A: Nope. fyodor@insecure.org is the author of nmap, and he uses the
same pseudonym as other snort Fyodor's real surname. Yeah, messes up
my mailbox too, but I think it's too late to change either of them :-).
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I run snort?
a: Run Snort in sniffer mode (snort -dvi eth0) and make sure it can see the
packets. Then run it with the HOME_NET set appropriately for the network
you're defending in your rules file. A default rules file comes with the
snort distribution and is called "snort.conf" You can run this basic ruleset
with the following command line:
snort -Afull -c snort.conf
If it's all set right, once it's running do an "ifconfig -a" and make sure
the interface is in promiscuous mode (it'll say so in the options section of
the printout). If it's not, there should be a way to set it manually.
For WIN32 you run it the same way as the UNIX version except if you need to specify an
interface you need to specify the interface's number that is returned from running
"snort -W".
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort-win32 complain that it is missing packet.dll?
A: You have not install the winpcap drivers. These drivers are required
by the WIN32 port of snort. You can download these drivers
at http://netgroup-serv.polito.it/winpcap/.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where are my log files located? What are they named?
A: If you specified a logging directory with the -l parameter then that is
where your files are located. If you did not specify a logging directory
then Snort will log to /var/log/snort/ or ./log on WIN32.
In the past, running Snort in daemon mode (-D) produced a file named
"snort.alert". For consistency sake, this has been changed. Running
Snort in both standard or daemon modes (-D) will produce a file named
"alert".
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where's a good place to physically put a Snort sensor?
A: This is going to be heavily influenced by your organizations policy, and
what you want to detect. One way of looking at it is determining if you
want to place it inside or outside your firewall. Placing an IDS outside
of your firewall will allow you monitor all attacks directed at your
network, regardless of whether or not they are stopped at the firewall.
This almost certainly means that the IDS will pick up on more events
than an IDS inside the firewall, and hence more logs will be generated.
Place an IDS inside your firewall if you are only interested in monitoring
traffic that your firewall let pass. If resources permit, it may be best
to place one IDS outside and one IDS inside of your firewall. This way
you can watch for everything directed at your network, and anything that
made it's way in.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm on a switched network, can I still use Snort?
A: This depends on the type of switch you have. If it can mirror traffic, you
can direct it to the port that your Snort box is on.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm getting large amounts of . What should I do? Where
can I go to find out more about it?
A: Some rules are more prone to producing false positives than others.
This often varies between networks. You first need to determine if it
is indeed a false positive. Some rules are referenced with ID numbers.
The following are some common identification systems, and where to go
to find more information about a particular alert.
System Example URL
---------------------------------------------------------------
IDS IDS182 http://www.whitehats.com/IDS/182
CVE CVE-2000-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138
Bugtraq BugtraqID 1 http://www.securityfocus.com/vdb/bottom.html?vid=1
McAfee Mcafee 10225 http://vil.nai.com/vil/dispVirus.asp?virus_k=10225
It may be necessary to examine the packet payload to determine if the
alert is a false positive. The packet payload is logged using the -d
option. If you determine the alerts are false positives, you may want
to write pass rules for machines that are producing a large number of them.
If the rule is producing an unmanageable amount of false positives from
a number of different machines, you could pass on the rule for all traffic.
This should be used as a last resort.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about all these false alarms?
A: Most think that a pile of false positives is infinitely preferable. Then
people can turn off what they don't want. The reverse, having a small rule
set, can lure people into complacency thinking that Snort is doing "its
thing" and there is nothing to worry about.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these ICMP files in subdirectories under /var/log/snort?
A: Most of them are likely destination unreachable and port unreachables that
were detected by snort when a communications session attempt fails.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My network spans multiple subnets. How do I define HOME_NET?
A: Snort 1.7 supports IP lists. You can assign a number of addresses to
a single variable. For example:
var HOME_NET [10.1.1.0/24,192.168.1.0/24]
NOTE: Not all preprocessors support IP lists at this time. Unless
otherwise stated, assume that any preprocessor using an IP list variable
will use the first value as the HOME_NET. The portscan preprocessor
is an example. To catch all detectable portscans, pass 0.0.0.0/0 in
as the first parameter.
preprocessor portscan: 0.0.0.0/0 5 3 portscan.log
Use the portscan-ignorhosts preprocessor to fine tune and ignore
traffic from noisy, trusted machines.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I have one network card and two aliases, how can I force snort to "listen"
on both addresses ?
a: If you're using at least version 1.7, you can specify an IP list like
this:
var HOME_NET [192.168./24,/32]
If you're using something older (version 1.6.3-patch2 or whatever) you can
re-specify the HOME_NET variable multiple times like this (for example):
var HOME_NET 10.1.1.0/24
include scan-lib
etc.
var HOME_NET 192.168.1.0/24
include scan-lib
etc.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I ignore traffic coming from a particular host or hosts?
A: Write pass rules and add the host(s) to the portscan-ignorehosts list.
Call Snort with the -o option to activate the pass rules.
See http://www.snort.org/writing_snort_rules.htm for more information.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the portscan plugin log "stealth" packets even though the
host is in the portscan-ignorehosts list?
A: These types of tcp packets are inherently suspicious, no matter where
they are coming from. The portscan detector was built with the assumption
that "stealth" packets should be reported, even from hosts which are not
monitored for portscanning. An option to ignore "stealth" packets may be
added in the future.
A: Bring up the interface without an IP address on it.
Url: http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
A: Use an ethernet tap, or build your own 'receive-only' ethernet cable.
Url: http://www.robertgraham.com/pubs/sniffing-faq.html#receive-only
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why are there no subdirectories under /var/log/snort for IP addresses?
A: It depends on how your snort configuration logs. If it logs in binary
format, you'll have to process the binary log in order to get cleartext
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I run snort on an interface with no IP address?
A: ifconfig ethN up. This command is not neccessary in WIN32 version of snort.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Libpcap complains about permissions problems, what's going on?
A: You are either not running snort as root or your kernel
is not configured correctly.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort complain about /var/log/snort or ./log?
A: It requires this directory to log alerts to it.
Use: mkdir /var/log/snort
or
Use: mkdir log
in WIN32.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you get snort to ignore some traffic?
A1: Specify bpf filters on the command line the tcpdump man page
has a description of bpf filters.
A2: Use a pass rule
A3: The portscan preprocessor has it's own special exclusion list
with the portscan-ignorehosts.rules file directive
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the portscan plugin log "stealth" packets even though the host
is in portscan-ignorehosts?
A: Because that's the way it was made. :-) No, because these types of tcp
packets are inherently suspicious, no matter where they are coming from.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
A: One of the reasons it alerts on a PA flags is to minimize the false
positive. You will only get an alert upon successful connections. If you
want to see all the attempts, you either have to modify the signatures, add
you own signatures or use your firewall logs to see if an attempt to
specific a port occurred.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I think I found a bug in snort. Now what?
A: get some more diagnostic information and post it to "snort-users" at
http://www.sourceforge.net
To get diagnostic information compile snort as either:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -