snort_manual.tex

This is the snapshot of Snot Latest Rules

   \item     \texttt{memcap $<$bytes$>$} - Memory cap for self preservation.  Default is 4MB.  
   \item    \texttt{prealloc\_frags $<$number$>$} - Alternate memory management mode.  Use preallocated fragment nodes (faster in some situations).
  \end{itemize}                               
\end{itemize}    
 
\textbf{Engine Configuration}
\begin{itemize}
\item Preprocessor name: \texttt{frag3\_engine}
\item Available options:
  \begin{itemize}
  \item   \texttt{timeout $<$seconds$>$} - Timeout for fragments.  Fragments in the engine for 
                         longer than this period will be automatically dropped.
                         Default is 60 seconds.
                         
  \item   \texttt{ttl\_limit $<$hops$>$} - Max TTL delta acceptable for packets based on the first
                        packet in the fragment.  Default is 5.
                        
  \item   \texttt{min\_ttl $<$value$>$} - Minimum acceptable TTL value for a fragment packet.  
                       Default is 1.
                       
  \item  \texttt{detect\_anomalies} - Detect fragment anomalies.
     
   \item  \texttt{bind\_to $<$ip\_list$>$} - IP List to bind this engine to.  This engine will only
                         run for packets with destination addresses contained
                         within the IP List.  Default value is \texttt{all}.
                         
   \item \texttt{policy $<$type$>$} - Select a target-based defragmentation mode.  Available 
                     types are first, last, bsd, bsd-right, linux.  Default
                     type is bsd.

                     The Paxson Active Mapping paper introduced the terminology
                     frag3 is using to describe policy types.  The known 
                     mappings are as follows.  Anyone who develops more 
                     mappings and would like to add to this list please feel
                     free to send us an email!
                     
\begin{tabular}{| l | l |}
\hline
\textbf{Platform} & \textbf{Type}\\
\hline
\hline                     
                        AIX 2  & BSD \\
                        \hline
                AIX 4.3 8.9.3  & BSD \\
                        \hline
                    Cisco IOS  & Last \\
                        \hline
                      FreeBSD  & BSD\\
                        \hline 
       HP JetDirect (printer)  & BSD-right \\
                        \hline
                HP-UX B.10.20  & BSD \\
                        \hline
                  HP-UX 11.00  & First \\
                        \hline
                  IRIX 4.0.5F  & BSD \\
                        \hline
                     IRIX 6.2  & BSD \\
                        \hline
                     IRIX 6.3  & BSD \\
                        \hline
                   IRIX64 6.4  & BSD \\
                        \hline
                 Linux 2.2.10  & linux \\
                        \hline
             Linux 2.2.14-5.0  & linux \\
                        \hline
               Linux 2.2.16-3  & linux \\
                        \hline
       Linux 2.2.19-6.2.10smp  & linux \\
                        \hline
               Linux 2.4.7-10  & linux \\
                        \hline
   Linux 2.4.9-31SGI 1.0.2smp  & linux \\
                        \hline
   Linux 2.4 (RedHat 7.1-7.3)  & linux \\
                        \hline
      MacOS (version unknown)  & First \\
                        \hline
             NCD Thin Clients  & BSD \\
                        \hline
    OpenBSD (version unknown)  & linux \\
                        \hline
    OpenBSD (version unknown)  & linux \\
                        \hline
                  OpenVMS 7.1  & BSD \\
                        \hline
       OS/2 (version unknown)  & BSD \\
                        \hline
                    OSF1 V3.0  & BSD \\
                        \hline
                    OSF1 V3.2  & BSD \\
                        \hline
            OSF1 V4.0,5.0,5.1  & BSD \\
                        \hline
                  SunOS 4.1.4  & BSD \\
                        \hline
      SunOS 5.5.1,5.6,5.7,5.8  & First \\
                        \hline
        Tru64 Unix V5.0A,V5.1  & BSD \\
                        \hline
                      Vax/VMS  & BSD \\
                        \hline
   Windows (95/98/NT4/W2K/XP)  & First\\
                        \hline
                        \end{tabular}

 \end{itemize}
\end{itemize}

\subsubsection{format}

\begin{figure}[!hbpt]
\begin{verbatim}
preprocessor frag3_global
preprocessor frag3_engine
\end{verbatim}

\caption{Example configuration (Basic)\label{Frag3 Example Basic}}
\end{figure}

\begin{figure}[!hbpt]
\begin{verbatim}
preprocessor frag3_global: prealloc_nodes 8192 
preprocessor frag3_engine: policy linux, bind_to 192.168.1.0/24
preprocessor frag3_engine: policy first, bind_to [10.1.47.0/24,172.16.8.0/24]
preprocessor frag3_engine: policy last, detect_anomalies
\end{verbatim}

\caption{Example configuration (Advanced)\label{Frag3 Example Advanced}}
\end{figure}

Note in the advanced example (Figure \ref{Frag3 Example Advanced}), there are three engines specified running with 
\emph{Linux}, \texttt{first} and \texttt{last} policies assigned.  The first two engines are bound to
specific IP address ranges and the last one applies to all other traffic.
Packets that don't fall within the address requirements of the first two engines
automatically fall through to the third one.

\subsubsection{Frag 3 Alert Output\label{frag3 alert output}}

Frag3 is capable of detecting eight different types of anomalies.  Its event
output is packet-based so it will work with all output modes of Snort.  Read
the documentation in the \texttt{doc/signatures} directory with filenames that begin
with ``123-'' for information on the different event types.
%%Need to doc these eight types of anomalies and truncate beginning of section.



\subsection{Stream4\label{stream 4 section}}

The Stream4 module provides TCP stream reassembly and stateful analysis
capabilities to Snort. Robust stream reassembly capabilities allow Snort
to ignore "stateless" attacks (which include the types of attacks that
Stick and Snot produce). Stream4 also gives large scale users the ability
to track many simultaneous TCP streams.  Stream4 is set to handle 8192
simultaneous TCP connections in its default configuration; however, it
scales to handle over 100,000 simultaneous connections.

Stream4 can also provide session tracking of UDP conversations. To enable
this in the Snort binary, pass \texttt{--enable-stream4udp} to
\texttt{configure} before compiling.  You will also need to enable it
in the \texttt{stream4} configuration.

Stream4 contains two configurable modules: the global \texttt{stream4} preprocessor
and the \texttt{stream4\_reassemble} preprocessor. 

\begin{note}
Additional options can be used if Snort is running in inline mode. See Section \ref{Stream4Inline} for more information.
\end{note}


\subsubsection{Stream4 Format}

\begin{verbatim}
preprocessor stream4: [noinspect], [asynchronous_link], [keepstats [machine|binary]], \
                      [detect_scans], [log_flushed_streams], [detect_state_problems], \
                      [disable_evasion_alerts], [timeout <seconds>], [memcap <bytes>],  \
                      [max_sessions <num sessions>], [enforce_state], \
                      [cache_clean_sessions <num of sessions>], [ttl_limit <count>], \
                      [self_preservation_threshold <threshold>], \
                      [self_preservation_period <seconds>], \
                      [suspend_threshold <threshold>], [suspend_period <seconds>], \
                      [state_protection], [server_inspect_limit <bytes>], \
                      [enable_udp_sessions], [max_udp_sessions <num sessions>], \
                      [udp_ignore_any]
\end{verbatim}
\begin{tabular}{| l | p{3.5in} |}
\hline
\textbf{Option} & \textbf{Description}\\
\hline 
\hline 
\texttt{asynchronous\_link} & Uses state transitions based only on one-sided conversation (no tracking of acknowledge/sequence numbers).\\
\hline
\texttt{cache\_clean\_sessions~<num~sessions>} & Purges this number of least-recently used sessions from the session cache.\\
\hline
\texttt{detect\_scans} & Turns on alerts for portscan events.\\
\hline
\texttt{detect\_state\_problems} & Turns on alerts for stream events of note, such as evasive RST packets, data on the SYN packet, and out of window sequence numbers.\\
\hline
\texttt{enforce\_state} & Enforces statefulness so that sessions aren't picked up mid-stream.\\
\hline
\texttt{keepstats} & Records session summary information in \texttt{$<$logdir$>$/session.log}. If no options are specified, output is human readable.\\
\hline
\texttt{log\_flushed\_streams} & Log the packets that are part of reassembled stream.\\
\hline
\texttt{disable\_evasion\_alerts} & Turns off alerts for events such as TCP
overlap.\\
\hline
\texttt{timeout <seconds>} & Amount of time to keep an inactive stream in the state table; sessions that are flushed will automatically be picked up again if more activity is seen. The default value is 30 seconds.\\
\hline
\texttt{memcap <bytes>} & Sets the number of bytes used to store packets for reassembly.\\
\hline
\texttt{max\_sessions <num sessions>} & Sets the maximum number of simultaneous sessions.\\
\hline
\texttt{noinspect} & Disables stateful inspection.\\
\hline
\texttt{ttl\_limit <count>} & Sets the delta value that will set off an evasion alert.\\
\hline
\texttt{self\_preservation\_threshold <threshold>} & Set limit on number of sessions before entering self-preservation mode (only reassemble data on the default ports).\\
\hline
\texttt{self\_preservation\_period <seconds>} & Set length of time (seconds) to remain in self-preservation mode.\\
\hline
\texttt{suspend\_threshold <threshold>} & Sets limit on number of sessions before entering suspend mode (no reassembly).\\
\hline
\texttt{suspend\_period <seconds>} & Sets length of time (seconds) to remain in suspend mode.\\
\hline
\texttt{server\_inspect\_limit <bytes>} & Restricts inspection of server traffic to this many bytes until another client request is seen (ie: client packet with data).\\
\hline
\texttt{state\_protection} & Protects self against DoS attacks.\\
\hline
\texttt{enable\_udp\_sessions} & Enable UDP session tracking.\\
\hline
\texttt{max\_udp\_sessions <num sessions>} & The maximum number of UDP sessions to be tracked. Default is 8192 if UDP sessions are enabled.\\
\hline
\texttt{udp\_ignore\_any} & Ignore traffic on port without port-specific rules.  The result of this is that NO rules (include IP only rules) are applied to UDP traffic that has a source/destination port that is listed in a port-specific ruls.\\
\hline
\end{tabular}

\subsubsection{stream4\_reassemble Format}

\begin{verbatim}
preprocessor stream4_reassemble: [clientonly], [serveronly], [both], [noalerts], \
                                 [favor_old], [favor_new], [flush_on_alert], \
                                 [flush_behavior random|default|large_window], \
                                 [flush_base <number>], [flush_range <number>], \
                                 [flush_seed <number>], [overlap_limit <number>], \
                                 [ports <portlist>], [emergency_ports <portlist>] \
                                 [zero_flushed_packets], [flush_data_diff_size <number>] \
                                 [large_packet_performance]
\end{verbatim}
\begin{tabular}{| p{0.50\textwidth} | p{0.50\textwidth} |}
\hline
\textbf{Option} & \textbf{Description}\\
\hline
\hline
\texttt{clientonly} & Provides reassembly for the client side of a connection
only.\\
\hline
\texttt{serveronly} & Provides reassembly for the server side of a connection
only.\\
\hline
\texttt{both} & Reassemble for client and server sides of connection.\\
\hline
\texttt{noalerts} & Won't alert on events that may be insertion or evasion
attacks.\\
\hline
\texttt{favor\_old} & Favor old segments based on sequence number over a new segments. \\
\hline
\texttt{favor\_new} & Favor new segments based on sequence number over a old segments. \\
\hline
\texttt{flush\_on\_alert} & Flush a stream when an individual packet causes an alert.\\
\hline
\texttt{flush\_behavior random|default|large\_window} & Use specified flush behavior. \texttt{default} means use old static flush points. \texttt{large\_window} means use new larger flush points. \texttt{random} means use random flush points defined by \texttt{flush\_base}, \texttt{flush\_seed} and \texttt{flush\_range}.\\
\hline
\texttt{flush\_base <number>} & Lowest allowed random flush point.  The default value is 512 bytes.  Only used if \texttt{flush\_behavior} is \texttt{random}. \\
\hline
\texttt{flush\_range <number>} & Space within random flush points are generated.  The default value is 1213.  Only used if \texttt{flush\_behavior} is \texttt{random}. \\
\hline
\texttt{flush\_seed <number>} & Random seed for flush points.  The default value is computed from Snort PID + time.  Only used if \texttt{flush\_behavior} is \texttt{random}. \\
\hline
\texttt{overlap\_limit <number>} & Alert when the number of overlapping data bytes reaches a threshold.\\
\hline
\texttt{ports <portlist>} & Provides reassembly for a
whitespace-separated list of ports.  By default, reassembly is performed
for ports 21, 23, 25, 42, 53, 80, 110, 111, 135, 136, 137, 139, 143, 445,
513, 1443, 1521, and 3306. To perform reassembly for all ports, use
\texttt{all} as the port list.\\
\hline