Olá pessoal, Estou configurando o Snort para um trabalho acadêmico. Com base no arquivo exemplo montei a configuração a abaixo, porém qdo executo o programa, não está sendo reconhecida a varredura do namp, além de estar muito lento.
Alguém pode me ajudar a ajustar estas regras? Desde já muito obrigado. #-------------------------------------------------- # http://www.snort.org Snort 2.7.0 Ruleset # Contact: [EMAIL PROTECTED] #-------------------------------------------------- # $Id$ # Step #1: Set the network variables: # var HOME_NET $eth0_ADDRESS #var rede interna var HOME_NET 10.1.1.0/24 # var. rede externa var EXTERNAL_NET any # Lista de variaveis de servidores var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET # var portas dos servidores var HTTP_PORTS 80 var SHELLCODE_PORTS !80 #var ORACLE_PORTS 1521 #var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # caminho para as regras var RULE_PATH /etc/snort/rules ################################################### # Step #2: Configure dynamic loaded libraries #dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so # dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so ################################################### # Step #3: Configure preprocessors # PRE-PROCESSADOR FLOW # --------------------------------------------------------------------- # preprocessor flow: stats_interval 0 hash 2 # PRE-PROCESSADORE STREAM4 # --------------------------------------------------------------------- # preprocessor stream4: detect_scans, \ # memcap 132000000, \ # disable_evasion_alerts # preprocessor stream4_reassemble: both # PRE-PROCESSADOR FRAG3: Target-based IP defragmentation # --------------------------------------------------------------------- preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy linux \ detect_anomalies \ bind_to 10.1.1.0/24 # PRE-PROCESSADOR STREAM5: Target Based stateful inspection/stream reassembly for Snort # --------------------------------------------------------------------- preprocessor stream5_global: max_tcp 256000, track_tcp yes, \ track_udp no, \ memcap 64000000 preprocessor stream5_tcp: policy linux, \ ports all, \ detect_anomalies # preprocessor stream5_udp: ignore_any_rules # Performance Statistics # --------------------------------------------------------------------- preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats events max pktcnt 10000 # PRE-PROCESSADOR HTTP_INSPECT - OK # --------------------------------------------------------------------- preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 \ detect_anomalous_servers preprocessor http_inspect_server: server default \ ports { 80 8080 } \ oversize_dir_length 500 \ flow_depth 300 \ double_decode yes \ multi_slash yes \ webroot yes # ascii no \ # non_rfc_char { 0x00 } \ # chunk_length 500000 \ # non_strict \ # no_alerts # PRE-PROCESSADOR RPC_DECODE: normalize RPC traffic # --------------------------------- # preprocessor rpc_decode: 111 32771 # PRE-PROCESSADOR BO: Back Orifice detector # ------------------------- # preprocessor bo: drop { snort_attack } # PRE-PREOCESSADOR TELNET_DECODE # --------------------------------------------------------------------- # preprocessor telnet_decode # PRE-PROCESSADOR FTP_TELNET # --------------------------------------------------------------------- # preprocessor ftp_telnet: global \ # encrypted_traffic yes \ # inspection_type stateful # preprocessor ftp_telnet_protocol: telnet \ # normalize \ # ayt_attack_thresh 200 # preprocessor ftp_telnet_protocol: ftp server default \ # def_max_param_len 100 \ # alt_max_param_len 200 { CWD } \ # cmd_validity MODE < char ASBCZ > \ # cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ # chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ # telnet_cmds yes \ # data_chan # preprocessor ftp_telnet_protocol: ftp client default \ # max_resp_len 256 \ # bounce yes \ # telnet_cmds yes # PRE-PROCESSADOR SMTP: SMTP normalizer, protocol enforcement and buffer overflow # --------------------------------------------------------------------------- preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ # max_command_line_len 512 \ # max_header_line_len 1024 \ # max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } # PRE-PROCESSADOR sfPortscan # ---------- preprocessor sfportscan: proto { all } \ scan_type { all } \ memcap { 10000000 } \ sense_level { low } # logfile { /var/log/snort/log/scan.log } \ # detect_ack_scans # DNS #---------------------------------------- preprocessor dns: \ ports { 53 } \ enable_rdata_overflow #################################################################### # Step #4: Configure output plugins # output log_tcpdump: tcpdump.log include classification.config include reference.config #################################################################### # Step #6: Customize your rule set #========================================= include $RULE_PATH/local.rules # include $RULE_PATH/bad-traffic.rules # include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules # include $RULE_PATH/finger.rules # include $RULE_PATH/ftp.rules # include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules # include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules # include $RULE_PATH/sql.rules # include $RULE_PATH/x11.rules # include $RULE_PATH/icmp.rules # include $RULE_PATH/netbios.rules # include $RULE_PATH/misc.rules # include $RULE_PATH/attack-responses.rules # include $RULE_PATH/oracle.rules # include $RULE_PATH/mysql.rules # include $RULE_PATH/snmp.rules # include $RULE_PATH/smtp.rules # include $RULE_PATH/imap.rules # include $RULE_PATH/pop2.rules # include $RULE_PATH/pop3.rules # include $RULE_PATH/nntp.rules # include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules # include $RULE_PATH/spyware-put.rules # include $RULE_PATH/specific-threats.rules # include $RULE_PATH/experimental.rules Pedro C Borges User Linux # 398043 Flickr agora em português. Você clica, todo mundo vê. Saiba mais.