[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en/security: shb-intrusion.xml - gentoo-doc-cvs

From:	"Sven Vermeulen (swift)" <swift@g.o>
To:	gentoo-doc-cvs@l.g.o
Subject:	[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en/security: shb-intrusion.xml
Date:	Wed, 09 Apr 2014 18:17:26
Message-Id:	`20140409181722.447112004B@flycatcher.gentoo.org`

1

swift       14/04/09 18:17:22

2

3

  Modified:             shb-intrusion.xml

4

  Log:

5

  Fix bug #507220 - Update snort to reflect reality (examples no longer work)

6

7

Revision  Changes    Path

8

1.7                  xml/htdocs/doc/en/security/shb-intrusion.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.7&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.7&content-type=text/plain

12

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?r1=1.6&r2=1.7

13

14

Index: shb-intrusion.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v

17

retrieving revision 1.6

18

retrieving revision 1.7

19

diff -u -r1.6 -r1.7

20

--- shb-intrusion.xml	20 Jul 2010 00:21:55 -0000	1.6

21

+++ shb-intrusion.xml	9 Apr 2014 18:17:22 -0000	1.7

22

@@ -1,5 +1,5 @@

23

 <?xml version='1.0' encoding='UTF-8'?>

24

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.6 2010/07/20 00:21:55 nightmorph Exp $ -->

25

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.7 2014/04/09 18:17:22 swift Exp $ -->

26

 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">

27

28

 <!-- The content of this document is licensed under the CC-BY-SA license -->

29

@@ -7,8 +7,8 @@

30

31

 <sections>

32

33

-<version>2</version>

34

-<date>2010-07-19</date>

35

+<version>3</version>

36

+<date>2014-04-09</date>

37

38

 <section>

39

 <title>AIDE (Advanced Intrusion Detection Environment)</title>

40

@@ -339,101 +339,19 @@

41

 SNORT_OPTS="-D -s -u snort -dev -l $LOGDIR -h $NETWORK -c $CONF"

42

 </pre>

43

44

+<p>

45

+Copy <path>/etc/snort/snort.conf.distrib</path> to

46

+<path>/etc/snort/snort.conf</path>.

47

+</p>

48

+

49

 <pre caption="/etc/snort/snort.conf">

50

-<comment>(Step 1)</comment>

51

-var HOME_NET 10.0.0.0/24

52

-var EXTERNAL_NET any

53

-var SMTP $HOME_NET

54

-var HTTP_SERVERS $HOME_NET

55

-var SQL_SERVERS $HOME_NET

56

-var DNS_SERVERS [10.0.0.2/32,212.242.40.51/32]

57

-var RULE_PATH ./

58

-

59

-<comment>(Step 2)</comment>

60

-preprocessor frag2

61

-preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts

62

-preprocessor stream4_reassemble: ports all

63

-preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace

64

-preprocessor rpc_decode: 111 32771

65

-preprocessor bo: -nobrute

66

-preprocessor telnet_decode

67

-

68

-<comment>(Step 3)</comment>

69

-include classification.config

70

-

71

-<comment>(Step 4)</comment>

72

-include $RULE_PATH/bad-traffic.rules

73

-include $RULE_PATH/exploit.rules

74

-include $RULE_PATH/scan.rules

75

-include $RULE_PATH/finger.rules

76

-include $RULE_PATH/ftp.rules

77

-include $RULE_PATH/telnet.rules

78

-include $RULE_PATH/smtp.rules

79

-include $RULE_PATH/rpc.rules

80

-include $RULE_PATH/rservices.rules

81

-include $RULE_PATH/dos.rules

82

-include $RULE_PATH/ddos.rules

83

-include $RULE_PATH/dns.rules

84

-include $RULE_PATH/tftp.rules

85

-include $RULE_PATH/web-cgi.rules

86

-include $RULE_PATH/web-coldfusion.rules

87

-include $RULE_PATH/web-iis.rules

88

-include $RULE_PATH/web-frontpage.rules

89

-include $RULE_PATH/web-misc.rules

90

-include $RULE_PATH/web-attacks.rules

91

-include $RULE_PATH/sql.rules

92

-include $RULE_PATH/x11.rules

93

-include $RULE_PATH/icmp.rules

94

-include $RULE_PATH/netbios.rules

95

-include $RULE_PATH/misc.rules

96

-include $RULE_PATH/attack-responses.rules

97

-include $RULE_PATH/backdoor.rules

98

-include $RULE_PATH/shellcode.rules

99

-include $RULE_PATH/policy.rules

100

-include $RULE_PATH/porn.rules

101

-include $RULE_PATH/info.rules

102

-include $RULE_PATH/icmp-info.rules

103

-include $RULE_PATH/virus.rules

104

-# include $RULE_PATH/experimental.rules

105

-include $RULE_PATH/local.rules

106

+~# <i>cd /etc/snort &amp;&amp; cp snort.conf.distrib snort.conf</i>

107

 </pre>

108

109

-<pre caption="/etc/snort/classification.config">

110

-config classification: not-suspicious,Not Suspicious Traffic,3

111

-config classification: unknown,Unknown Traffic,3

112

-config classification: bad-unknown,Potentially Bad Traffic, 2

113

-config classification: attempted-recon,Attempted Information Leak,2

114

-config classification: successful-recon-limited,Information Leak,2

115

-config classification: successful-recon-largescale,Large Scale Information Leak,2

116

-config classification: attempted-dos,Attempted Denial of Service,2

117

-config classification: successful-dos,Denial of Service,2

118

-config classification: attempted-user,Attempted User Privilege Gain,1

119

-config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1

120

-config classification: successful-user,Successful User Privilege Gain,1

121

-config classification: attempted-admin,Attempted Administrator Privilege Gain,1

122

-config classification: successful-admin,Successful Administrator Privilege Gain,1

123

-

124

-# NEW CLASSIFICATIONS

125

-config classification: rpc-portmap-decode,Decode of an RPC Query,2

126

-config classification: shellcode-detect,Executable code was detected,1

127

-config classification: string-detect,A suspicious string was detected,3

128

-config classification: suspicious-filename-detect,A suspicious filename was detected,2

129

-config classification: suspicious-login,An attempted login using a suspicious username was detected,2

130

-config classification: system-call-detect,A system call was detected,2

131

-config classification: tcp-connection,A TCP connection was detected,4

132

-config classification: trojan-activity,A Network Trojan was detected, 1

133

-config classification: unusual-client-port-connection,A client was using an unusual port,2

134

-config classification: network-scan,Detection of a Network Scan,3

135

-config classification: denial-of-service,Detection of a Denial of Service Attack,2

136

-config classification: non-standard-protocol,Detection of a non-standard protocol or event,2

137

-config classification: protocol-command-decode,Generic Protocol Command Decode,3

138

-config classification: web-application-activity,access to a potentially vulnerable web application,2

139

-config classification: web-application-attack,Web Application Attack,1

140

-config classification: misc-activity,Misc activity,3

141

-config classification: misc-attack,Misc Attack,2

142

-config classification: icmp-event,Generic ICMP event,3

143

-config classification: kickass-porn,SCORE! Get the lotion!,1

144

-</pre>

145

+<p>

146

+You might need to comment out the blacklist and whitelist entries

147

+if no lists are created.

148

+</p>

149

150

<p>

151

 More information is at the <uri

1	swift 14/04/09 18:17:22
2
3	Modified: shb-intrusion.xml
4	Log:
5	Fix bug #507220 - Update snort to reflect reality (examples no longer work)
6
7	Revision Changes Path
8	1.7 xml/htdocs/doc/en/security/shb-intrusion.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.7&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.7&content-type=text/plain
12	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?r1=1.6&r2=1.7
13
14	Index: shb-intrusion.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v
17	retrieving revision 1.6
18	retrieving revision 1.7
19	diff -u -r1.6 -r1.7
20	--- shb-intrusion.xml 20 Jul 2010 00:21:55 -0000 1.6
21	+++ shb-intrusion.xml 9 Apr 2014 18:17:22 -0000 1.7
22	@@ -1,5 +1,5 @@
23	<?xml version='1.0' encoding='UTF-8'?>
24	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.6 2010/07/20 00:21:55 nightmorph Exp $ -->
25	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.7 2014/04/09 18:17:22 swift Exp $ -->
26	<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
27
28	<!-- The content of this document is licensed under the CC-BY-SA license -->
29	@@ -7,8 +7,8 @@
30
31	<sections>
32
33	-<version>2</version>
34	-<date>2010-07-19</date>
35	+<version>3</version>
36	+<date>2014-04-09</date>
37
38	<section>
39	<title>AIDE (Advanced Intrusion Detection Environment)</title>
40	@@ -339,101 +339,19 @@
41	SNORT_OPTS="-D -s -u snort -dev -l $LOGDIR -h $NETWORK -c $CONF"
42	</pre>
43
44	+<p>
45	+Copy <path>/etc/snort/snort.conf.distrib</path> to
46	+<path>/etc/snort/snort.conf</path>.
47	+</p>
48	+
49	<pre caption="/etc/snort/snort.conf">
50	-<comment>(Step 1)</comment>
51	-var HOME_NET 10.0.0.0/24
52	-var EXTERNAL_NET any
53	-var SMTP $HOME_NET
54	-var HTTP_SERVERS $HOME_NET
55	-var SQL_SERVERS $HOME_NET
56	-var DNS_SERVERS [10.0.0.2/32,212.242.40.51/32]
57	-var RULE_PATH ./
58	-
59	-<comment>(Step 2)</comment>
60	-preprocessor frag2
61	-preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts
62	-preprocessor stream4_reassemble: ports all
63	-preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
64	-preprocessor rpc_decode: 111 32771
65	-preprocessor bo: -nobrute
66	-preprocessor telnet_decode
67	-
68	-<comment>(Step 3)</comment>
69	-include classification.config
70	-
71	-<comment>(Step 4)</comment>
72	-include $RULE_PATH/bad-traffic.rules
73	-include $RULE_PATH/exploit.rules
74	-include $RULE_PATH/scan.rules
75	-include $RULE_PATH/finger.rules
76	-include $RULE_PATH/ftp.rules
77	-include $RULE_PATH/telnet.rules
78	-include $RULE_PATH/smtp.rules
79	-include $RULE_PATH/rpc.rules
80	-include $RULE_PATH/rservices.rules
81	-include $RULE_PATH/dos.rules
82	-include $RULE_PATH/ddos.rules
83	-include $RULE_PATH/dns.rules
84	-include $RULE_PATH/tftp.rules
85	-include $RULE_PATH/web-cgi.rules
86	-include $RULE_PATH/web-coldfusion.rules
87	-include $RULE_PATH/web-iis.rules
88	-include $RULE_PATH/web-frontpage.rules
89	-include $RULE_PATH/web-misc.rules
90	-include $RULE_PATH/web-attacks.rules
91	-include $RULE_PATH/sql.rules
92	-include $RULE_PATH/x11.rules
93	-include $RULE_PATH/icmp.rules
94	-include $RULE_PATH/netbios.rules
95	-include $RULE_PATH/misc.rules
96	-include $RULE_PATH/attack-responses.rules
97	-include $RULE_PATH/backdoor.rules
98	-include $RULE_PATH/shellcode.rules
99	-include $RULE_PATH/policy.rules
100	-include $RULE_PATH/porn.rules
101	-include $RULE_PATH/info.rules
102	-include $RULE_PATH/icmp-info.rules
103	-include $RULE_PATH/virus.rules
104	-# include $RULE_PATH/experimental.rules
105	-include $RULE_PATH/local.rules
106	+~# <i>cd /etc/snort && cp snort.conf.distrib snort.conf</i>
107	</pre>
108
109	-<pre caption="/etc/snort/classification.config">
110	-config classification: not-suspicious,Not Suspicious Traffic,3
111	-config classification: unknown,Unknown Traffic,3
112	-config classification: bad-unknown,Potentially Bad Traffic, 2
113	-config classification: attempted-recon,Attempted Information Leak,2
114	-config classification: successful-recon-limited,Information Leak,2
115	-config classification: successful-recon-largescale,Large Scale Information Leak,2
116	-config classification: attempted-dos,Attempted Denial of Service,2
117	-config classification: successful-dos,Denial of Service,2
118	-config classification: attempted-user,Attempted User Privilege Gain,1
119	-config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
120	-config classification: successful-user,Successful User Privilege Gain,1
121	-config classification: attempted-admin,Attempted Administrator Privilege Gain,1
122	-config classification: successful-admin,Successful Administrator Privilege Gain,1
123	-
124	-# NEW CLASSIFICATIONS
125	-config classification: rpc-portmap-decode,Decode of an RPC Query,2
126	-config classification: shellcode-detect,Executable code was detected,1
127	-config classification: string-detect,A suspicious string was detected,3
128	-config classification: suspicious-filename-detect,A suspicious filename was detected,2
129	-config classification: suspicious-login,An attempted login using a suspicious username was detected,2
130	-config classification: system-call-detect,A system call was detected,2
131	-config classification: tcp-connection,A TCP connection was detected,4
132	-config classification: trojan-activity,A Network Trojan was detected, 1
133	-config classification: unusual-client-port-connection,A client was using an unusual port,2
134	-config classification: network-scan,Detection of a Network Scan,3
135	-config classification: denial-of-service,Detection of a Denial of Service Attack,2
136	-config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
137	-config classification: protocol-command-decode,Generic Protocol Command Decode,3
138	-config classification: web-application-activity,access to a potentially vulnerable web application,2
139	-config classification: web-application-attack,Web Application Attack,1
140	-config classification: misc-activity,Misc activity,3
141	-config classification: misc-attack,Misc Attack,2
142	-config classification: icmp-event,Generic ICMP event,3
143	-config classification: kickass-porn,SCORE! Get the lotion!,1
144	-</pre>
145	+<p>
146	+You might need to comment out the blacklist and whitelist entries
147	+if no lists are created.
148	+</p>
149
150	<p>
151	More information is at the <uri

Gentoo Archives: gentoo-doc-cvs