win32_faq.txt

网络入侵检测系统

A1: One popular solution is SnortSnarf, a tool for producing HTML 
    out of snort alerts for navigating through these alerts 
    (and doing a whole lot more). 
    http://www.silicondefense.com/snortsnarf/

A2: If you want to set up loggin to a database you could try ACID
    Some documentation describing the current ACID functionality:

    http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Q: Why do certain alerts seem to have 'unknown' IPs in ACID? 

A: The Snort database plug-in only logs packet information into the database
   when an alert is triggered by a rule (signature). Therefore, since alerts
   generated by pre-preprocessors such as portscan and mini-fragment have no
   corresponding rules, no packet information is logged beyond an entry
   indicating their occurance. As a consequence, ACID cannot display any
   packet-level (e.g. IP address) information for these alerts. 

   For these particular alerts, certain statistics may show zero unique IP
   addresses, list the IP address as 'unknown', and will not list any packet
   information when decoding the alert. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the 'error deleting alert' message occur when attempting to delete
   an alert with ACIO? 

A: Most likely the DB user configure in ACID does not have sufficient
   privileges. In addition to those privileges granted to log the alerts into
   the database (INSERT, SELECT), DELETE is also required. 

   This permission related issue can be confirmed by manually inserting a row
   into the database, then trying to delete it. 

   1. login to MySQL with the same credentials (i.e. username, password) as you
      use in ACID. 

   e.g. % mysql  -u  -p

   2. insert a test row into the event table 

   mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0");

   (this assumes that you don't already have a row with an event ID=1000000. If
    you do just choose another event id #) 

   3. now delete this newly inserted row 

   mysql> DELETE FROM event WHERE sid=1 AND cid=10000000; 

   If you where not able to delete, this confirms that this is a permission
   problem. Re-login to mysql as root, and issue a GRANT command (giving the
   DELETE permission) to the ACID DB user. 

   e.g. GRANT DELETE on snort.* to acid@localhost

   (this assumes that my alert database is 'snort', username is 'acid', and
   logging from the 'localhost') 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: ACID appears to be broken in Lynx 

A: This is a known issue. Lynx mangles some of the form arguments appended to
   the URL. It's resolution is being investigated, but use Netscape, Opera, or
   IE in the mean time. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Can priorities be assigned to Alerts using ACID? 

A: The quick answer to this question is no. ACID is at the mercy of the
   underlying database, since Snort doesn't assign priorities, ACID does not
   have priorities. Nevertheless, there are several work-arounds: 

  It is possible to enforce priorities of sort at the database level by
  writing alerts of different severity to separate databases. For example,
  critical alerts such as buffer overflows can be written to one database,
  while scan alerts can be written to another. Then load two different versions
  of ACID, each pointing to a different instance of the database. 


  With manual intervention Alert Groups (AG) can be used to assign priority.
  Essentially, this strategy entails creating an AG for each severity level and
  manually moving the alerts as they arrive into the appropriate group. 

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My ACID db connection times-out when performing long operations (e.g.
   deleting a large number of alerts) 

A:  PHP has an internal variable set to limit the length an script can
   execute. It is used to prevent poorly written code from executing
   indefinitely. In order to modify the time-out value, examine the
   'max_execution_time' variable found in the 'php.ini' configuration file.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort report "Packet loss statistics are unavailable under Linux"?

A:  The Linux IP stack doesn't report lost packet stats.  This may be changing
    in version 2.4 of Linux, but for now you just don't get them.  Try one
    of the BSDs, they work just fine.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What the heck is a SYNFIN scan?

A: SYNFIN scans got their name because there are both the
   SYN and FIN flags set. 


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about 'SMB Name Wildcard' alerts?

A: Whitehats IDS177
   http://dev.whitehats.com/cgi/test/new.pl/Show?_id=netbios-name-query
   specifies traffic coming from *outside* of your local network.  Allowing
    netbios traffic over public networks is usually very insecure.

   If the rule you are using also refers to ingres traffic only, then it
   would explain why you don't see a lot of false positives.  For anyone
   reading that does see a lot of false postiives -  if you change your rule
   to reflect the source address as being !$HOME (or whatever variable you
   use to represent your internal network), then you should see most of the
   false positives go away.

   The value of this chack is that a default administrative share C$ ADMIN$ or
   some such has been accessed.  This shouldn't happen in normal use - when
   people want to share files they should be implicitely defining the shares
   and ACL.  

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Which takes precedence, commandline or rule file ?

A: The command line always gets precedence over the rules file.  If people
   want to try stuff out quickly without having to manually edit the rules
   file, they should be able to override many things from the command
   line.  

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My /var/log/snort directory get very large.....

A: Try this script to archive the files.

#!/bin/sh
# 
# Logfile roation script for snort writen by jameso@elwood.net.
# 
# This script is pretty basic. We start out by setting some vars.
# Its job is tho rotate the days logfiles, e-mail you with what 
# it logged, keep one weeks worth of uncompressed logs, and also
# keep compressed tgz files of all the logs. It is made to be run
# at midnight everynight. This script expects you to have a base
# dir that you keep all of your logs, rule sets etc in. You can 
# see what sub dirs it expects from looking at the var settings
# below.
# 
# Things to note in this script is that we run this script at 12 
# every night, so we want to set the dirdate var the day the script
# runs minus a day so we label the files with the correct day. We
# Then create a dir for the days logs, move the log files into 
# todays dir. As soon as that is done restart snort so we don't miss
# anything. Then delete any logs that are uncompressed and over a
# week old. Then compress out todays logs and archive them away, and
# end up by mailling out the logs to you.
#

# Define where you have the base of your snort install

snortbase=/usr/snort

# Define other vars
# logdir   - Where the logs are kept
# oldlogs  - Where you want the archived .tgz logs kept
# weeklogs - This is where you want to keep a weeks worth of log files uncompressed
# dirdate  - Todays Date in Month - Day - Year format
# olddirdate - Todays date in the same format as dirdate, minus a week

logdir=$snortbase/log
oldlogs=$snortbase/oldlogs
weeklogs=$snortbase/weeklogs

# When I first wrote this script, I only ran it on BSD systems. That was a
# mistake, as BSD systems have a date command that apperently lets you walk the
# date back pretty easily. Well, some systems don't have this feature, so I had
# to change the way that dates are done in here. I left in the old way, because
# it is cleaner, and I added in a new way that should be portable. If anyone
# has any problems, just let me know and I will try to fix it.
#
# You have to change the system var to either bsd or other. Set it to bsd if
# your system supports the "-v" flag. If you are not sure, set it to other.

system=bsd

if [ $system = bsd ]
then
 dirdate=`date -v -1d "+%m-%d-%y"`
 olddirdate=`date -v -8d "+%m-%d-%y"`
elif [ $system = other ]
 month=`date "+%m"`
 yesterday=`expr \`date "+%d"\` - 1`
 eightday=`expr \`date "+%d"\` - 8`
 year=`date "+%y"`

 dirdate=$month-$yesterday-$year
 olddirdate=$month-$eightday-$year
fi

# Create the Dir for todays logs.

if [ ! -d $weeklogs/$dirdate ]
then
 mkdir $weeklogs/$dirdate
fi

# Move the log files into todays log dir. This is done with
# a for loop right now, because I am afriad that if alot is
# logged there may be to many items to move with a "mv *"
# type command. There may a better way to do this, but I don't
# know it yet.

for logitem in `ls $logdir` ; do
 mv $logdir/$logitem $weeklogs/$dirdate
done

# Kill and restart snort now that the log files are moved.

kill `cat /var/run/snort_fxp0.pid`

# Restart snort in the correct way for you

/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
-c /usr/snort/etc/08292k.rules > /dev/null 2>&1

# Delete any uncompressed log files that over a week old.

if [ -d $weeklogs/$olddirdate ]
then
 rm -r $weeklogs/$olddirdate
fi

# Compress and save the log files to save for as long as you want.
# This is done in a sub-shell because we change dirs, and I don't want 
# to do that within the shell that the script runs in.

(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)

# Mail out the log files for today.

cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you@domain.com
cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you@domain.com


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?

A: Yes, with additional software in the conrib directory. But this
   can be dangerous and is not recommended unless you know what you're
   doing.

   Guardian is available and is part of the contrib directory in
   the tarball distribution.

   Guardian is a perl script which uses snort to detect attacks,
   and then uses IPchains to deny any further attacks.

   The Guardian webpage can be found at:
   http://www.chaotic.org/~astevens/Guardian/index.html
   or you can use the mirror,
   http://www.cyberwizards.com/~midnite/Guardian/index.html

   But one caveat... running external binaries can also be a performance
   limiter and your should read the caution below...

   Christopher Cramer wrote:
   >
   > I'm sure this has been mentioned before in similar discussions, but this
   > feels like a _really_ bad idea.  What if the bad guys realize what is
   > going on and make use of your blocking method as a DoS attack.  All one
   > would have to do start sending a series of triggering packets with spoofed
   > IP addresses.
   >
   > Since I am no longer interested in breaking into your site, but rather
   > making your life hell, I don't worry about the resulting data getting back
   > to me.  All I have to do is start proceeding up a list of IP addresses
   > that I think you should no longer be able to talk to.  When you come in
   > the next morning, you find that you can no longer access the world.
   >
   > Just my $0.02.
   >                         


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I run snort on multiple interfaces simultaneously.

A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)
    the only way is to run multiple instances of snort, one instance per
    interface. However for  linux 2.1.x/2.2.x and higher you can use libpcap
    library with S. Krahmer's patch which allows you to specify 'any' as interface
    name. In this case snort will be able to process traffic comming to all
    interfaces.
    
    This is NOT possible in WIN32.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong.

A:  You use older libpcap version with recent linux kernel. There should be
    no problem with it as long as your kernel supports SOCK_PACKET socket type. To
    get rid off the warning message however, you'll have to upgrade to some recent
    version of libpcap. (a copy from www.tcpdump.org is recommended).


--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: IP address is assigned dynamically to my interface, can I use snort with it?

A:  Yes.With snort 1.7 and later, _ADDRESS variable is available.
    The value of this variable will be always set to IP address/Netmask of the
    interface which you run snort at. if interface goes down and up again (and
    an IP address is reassigned) you will have to restart snort. For earlier
    versions of snort numerous scripts to achieve the same result are
    available.

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument

A:  It's because there's another program running using the DLPI service.
    The HP-UX implementation doesn't allow more than one libpcap program
    at a time to run, unlike Linux. (from snort.c)

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong?

A:  You may run out of free inodes, which basically also means you can not
    create more files on the partition. The obvious solution is to rm some ;-)