📄 win32_faq.txt
字号:
make clean; make CFLAGS=-ggdb
or
make clean; make "CFLAGS=-ggdb -DDEBUG"
trace coredump as:
gdb /path/to/snort /path/to/snort/core
gdb> where
gdb> bt
gdb> print $varname, varname, $$varname etc..
or if corefile isn't generated snort should be started as
gdb snort
gdb> run
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort handle IP defragmentation?
A: Yes, use "preprocessor defrag"
Snort also currently has the "minfrag" rule option available that looks for
tiny fragments and can generate alerts based upon the size of the fragments
alone. This is a valid strategy because there is virtually no commercially
available network equipment that fragments packets smaller than 256 bytes,
while most hacking packages that try to mask their traffic with fragments
make them as small as possible. The minfrag option allows you to specify a
fragment size threshold below which Snort will generate alerts.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?
A: This was an internal diagnostic message triggered by an old bug
in early versions of the defragmentation preprocessor. Upgrade to
to the latest version of snort.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I've got RedHat and ....
A: Check your version of libpcap. :) If it's not <= 0.5, then you should
update.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I setup snort on a 'stealth' interface?
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I Want to build a snort box. Will this handle
traffic?
A: That depends. ;-) Lower the number of rules is a standard performance
increase. Disable rules that you don't need or care about. Etc... There
have been many discussions on 'tweaking performance' with lots of 'I handle
XX mb with a ___ machine setup.' being said. Look at some of the
discussions on snort-users
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are CIDR netmasks?
A: Excerpted from url: http://public.pacbell.net/dedicated/cidr.html
CIDR is a new addressing scheme for the Internet which allows for more efficient allocation of IP addresses than
the old Class A, B, and C address scheme.
CIDR Block Prefix # Equivalent Class C # of Host Addresses
/27 1/8th of a Class C 32 hosts
/26 1/4th of a Class C 64 hosts
/25 1/2 of a Class C 128 hosts
/24 1 Class C 256 hosts
/23 2 Class C 512 hosts
/22 4 Class C 1,024 hosts
/21 8 Class C 2,048 hosts
/20 16 Class C 4,096 hosts
/19 32 Class C 8,192 hosts
/18 64 Class C 16,384 hosts
/17 128 Class C 32,768 hosts
/16 256 Class C 65,536 hosts (= 1 Class B)
/15 512 Class C 131,072 hosts
/14 1,024 Class C 262,144 hosts
/13 2,048 Class C 524,288 hosts
For more detailed technical information on CIDR, go to http://www.rfc-editor.org/rfcsearch.html and type in the
number of the CIDR RFC you are interested in:
RFC 1517: Applicability Statement for the Implementation of CIDR
RFC 1518: An Architecture for IP Address Allocation with CIDR
RFC 1519: CIDR: An Address Assignment and Aggregation Strategy
RFC 1520: Exchanging Routing Information Across Provider Boundaries in the CIDR Environment
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where do I get the latest version of libpcap?
A: http://www.tcpdump.org/ or http://netgroup-serv.polito.it/winpcap/ for the WIN32 port of libpcap.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are these IDS codes in the alert names?
A: IDS means "Intrusion Detection Signature" (true?) and identifies a
known attack attempt. You can learn more about a specific IDS id
at the arachNIDS search engine on http://www.whitehats.com/.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
A: If you are dumping the data part of the packet, review it.
These rules are known to have high false rates as most of them
are just based on numeric port numbers.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about "CGI Null Byte attacks"?
A: It's a part of the http preprocessor. Basically, if the http decoding
routine finds a %00 in an http request, it will alert with this message.
Sometimes you may see false positives with sites that use cookies with
urlencoded binary data, or if you're scanning port 443 and picking up
SSLencrypted traffic . If you're logging alerted packets you can check
the actual string that caused the alert. Also, the unicode alert is
subject to the same false positives with cookies and SSL. Having the packet
dumps is the only way to tell for sure if you have a real attack on your
hands, but this is true for any content-based alert.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where can I get more reading and courses about IDS?
A: Sans has some courses. There are also a couple of books you might
want to look into getting.
Network Intrusion Detection An Analyst's Handbook
By Stephen Northcutt
ISBN 0735708681
TCP/IP Illustrated, Volume 1 The Protocols
By W. Richard Stevens
ISBN 0201633469
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I log to multiple databases?
A: You can build redundancy by using multiple output plugins. Here are
some examples.
Multiple instantiations of the database plugin:
output log_database: mysql, dbname=snort host=localhost user=xyz
output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
Remote database and local tcpdump:
output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
output log_tcpdump: /var/log/snort.tcpdump
Then you can replay the tcpdump file through snort to recreate the
database.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these "ICMP destination unreachable" alerts?
A: They are failed connections ICMP unreach packet carries first 64
bytes of the original datagram.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort complain about missing references?
A: You must make libpcap with the --install-incl option
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort fail with errors about yylex and lex_init?
A: You need the lex and yacc tools or their gnu equivalents
flex and bison installed.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What is the use of the "-r" switch to read tcpdump files?
A: Used in conjunction with a snort rules file, the tcpdump data can be
analyzed for hostile content, port scans, or anything else Snort can be used
to detect. Snort can also just simply display the packets in their decoded
format, which many people find is easier to read than native tcpdump
output.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I get Snort to log the packet payload as well as the header?
A: Use the "-d" command line option.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort log the full packets that it generates alerts on?
A: Yes, they should be in the directory that has the same IP address as the
source host of the packet which generated the alert.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the program generate alerts on packets that have pass rules?
A: The default order that the rules are applied in is alerts first, then pass
rules, then log rules. This ordering ensures that you don't write 50 great
alert rules and then disable them all accidently with an errant pass rule.
If you really want to change this order so that the pass rules are applied
first, use the "-o" command line switch.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort perform TCP stream reassembly?
A: Yes, this capability is in BETA testing with the 1.7 release.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: SMB alerts aren't working, what's wrong?
A: Make sure you include "--enable-smbalerts" when you run "./configure". SMB alerts are not
available in WIN32.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I test snort without having an ethnernet card or a connection to
other computers?
A: You have to use routing between two dummy devices: (NOTE: This is not
possible in WIN32)
modprobe -a dummy (The dummy device has to be build by the kernel)
ifconfig dummy0 192.168.0.1
ifconfig dummy0:0 192.168.0.2
telnet 192.168.0.3 12345
It's important that the second IP is on the same interface and not e.g.
dummy1 or dummy2 and that the IP you try to access is *not* one of those you
put on the interfaces. Use snort's ability to hear in promiscious mode on an
IP address range. (HOMEDIR=192.168.0.0/16) Top --faq-- --snort-- --faq--
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm having problems getting snort to log to a database...
A: There were some issues with snort 1.6.3 writes
Lee wrote..
> > Initializing rule chains...
> > log_database: Database type is mysql
> > log_database: Database name is snort
> > log_database: Host set to localhost
> > log_database: User set to root
> > Problem obtaining SENSOR ID (sid) from mysql->snort->event
In version 1.6.3, it turns out that many people have seen this error
because they did not compile in support for their database. It should
be fixed in snort 1.7
A quick and easy "fix" for older snort versions is to add -lm to
either LIBS or LDFLAGS in the Makefile. e.g.
LIBS = -lm -lmysqlclient -lpcap -lsocket -lnsl
Anyway, if you are still having this problem you can take a look at
the updated the installation and configuration information at the
following web site.
http://www.incident.org/snortdb
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where do I get more help on snort?
A: http://lists.sourceforge.net/mailman/listinfo/snort-users
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How to start snort as a win32 service?
A: You must use the SRVANY.EXE and INSTSRV.exe that come with the Windows
NT/2000 Resource Kit.
You first must install the SRVANY service. At a command prompt type:
INSTSRV SrvAny <PATH TO RESKIT>\srvany.exe.
Now you can install and configure the snort service.
At a command prompt, type the following command:
<path>\INSTSRV.EXE snort <path>\SRVANY.EXE
where <path> is the drive and directory of the Windows NT Resource Kit
(i.e., C:\RESKIT).
WARNING: Using Registry Editor incorrectly can cause serious problems
that may require you to reinstall your operating system. Use
Registry Editor at your own risk.
For information about how to edit the registry, view the
"Changing Keys And Values" online Help topic or the "Add and Delete
Information in the Registry" and "Edit Registry Data" online Help topics
in Registry Editor.
NOTE: You should back up the registry before you edit it.
Run Registry Editor (Regedt32.exe)and locate the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<My Service>
From the Edit menu, click Add Key. Type the following and click OK:
Key Name: Parameters
Class : <leave blank>
Select the Parameters key.
From the Edit menu, click Add Value. Type the following and click OK:
Value Name: Application
Data Type : REG_SZ
String : <path>\<application.ext>
where <path>\<application.ext> is the drive and full path to the
application executable including the extension
(i.e., C:\WinNT\Notepad.exe).
Highlight the Parameters Key and bring your cursor to the EDIT menu bar and
click on the Add Value choice to add another key.
Type the following and click OK:
Value Name: AppParameters
Data Type: REG_SZ
When the String Editor dialog box opens up add the command line options you
need.
For example: -c snort-lib -E
Open up the Services applet in the Control Panel and scroll to the snort line
and double click on it. Choose the Startup Type: Automatic (this will allow
snort to be active when there is no one logged on).
Now snort is set to run as a service!
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I process those snort logs into HTML reports?
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -