1 |
swift 14/04/09 18:17:22 |
2 |
|
3 |
Modified: shb-intrusion.xml |
4 |
Log: |
5 |
Fix bug #507220 - Update snort to reflect reality (examples no longer work) |
6 |
|
7 |
Revision Changes Path |
8 |
1.7 xml/htdocs/doc/en/security/shb-intrusion.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.7&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.7&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?r1=1.6&r2=1.7 |
13 |
|
14 |
Index: shb-intrusion.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v |
17 |
retrieving revision 1.6 |
18 |
retrieving revision 1.7 |
19 |
diff -u -r1.6 -r1.7 |
20 |
--- shb-intrusion.xml 20 Jul 2010 00:21:55 -0000 1.6 |
21 |
+++ shb-intrusion.xml 9 Apr 2014 18:17:22 -0000 1.7 |
22 |
@@ -1,5 +1,5 @@ |
23 |
<?xml version='1.0' encoding='UTF-8'?> |
24 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.6 2010/07/20 00:21:55 nightmorph Exp $ --> |
25 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.7 2014/04/09 18:17:22 swift Exp $ --> |
26 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
27 |
|
28 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
29 |
@@ -7,8 +7,8 @@ |
30 |
|
31 |
<sections> |
32 |
|
33 |
-<version>2</version> |
34 |
-<date>2010-07-19</date> |
35 |
+<version>3</version> |
36 |
+<date>2014-04-09</date> |
37 |
|
38 |
<section> |
39 |
<title>AIDE (Advanced Intrusion Detection Environment)</title> |
40 |
@@ -339,101 +339,19 @@ |
41 |
SNORT_OPTS="-D -s -u snort -dev -l $LOGDIR -h $NETWORK -c $CONF" |
42 |
</pre> |
43 |
|
44 |
+<p> |
45 |
+Copy <path>/etc/snort/snort.conf.distrib</path> to |
46 |
+<path>/etc/snort/snort.conf</path>. |
47 |
+</p> |
48 |
+ |
49 |
<pre caption="/etc/snort/snort.conf"> |
50 |
-<comment>(Step 1)</comment> |
51 |
-var HOME_NET 10.0.0.0/24 |
52 |
-var EXTERNAL_NET any |
53 |
-var SMTP $HOME_NET |
54 |
-var HTTP_SERVERS $HOME_NET |
55 |
-var SQL_SERVERS $HOME_NET |
56 |
-var DNS_SERVERS [10.0.0.2/32,212.242.40.51/32] |
57 |
-var RULE_PATH ./ |
58 |
- |
59 |
-<comment>(Step 2)</comment> |
60 |
-preprocessor frag2 |
61 |
-preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts |
62 |
-preprocessor stream4_reassemble: ports all |
63 |
-preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace |
64 |
-preprocessor rpc_decode: 111 32771 |
65 |
-preprocessor bo: -nobrute |
66 |
-preprocessor telnet_decode |
67 |
- |
68 |
-<comment>(Step 3)</comment> |
69 |
-include classification.config |
70 |
- |
71 |
-<comment>(Step 4)</comment> |
72 |
-include $RULE_PATH/bad-traffic.rules |
73 |
-include $RULE_PATH/exploit.rules |
74 |
-include $RULE_PATH/scan.rules |
75 |
-include $RULE_PATH/finger.rules |
76 |
-include $RULE_PATH/ftp.rules |
77 |
-include $RULE_PATH/telnet.rules |
78 |
-include $RULE_PATH/smtp.rules |
79 |
-include $RULE_PATH/rpc.rules |
80 |
-include $RULE_PATH/rservices.rules |
81 |
-include $RULE_PATH/dos.rules |
82 |
-include $RULE_PATH/ddos.rules |
83 |
-include $RULE_PATH/dns.rules |
84 |
-include $RULE_PATH/tftp.rules |
85 |
-include $RULE_PATH/web-cgi.rules |
86 |
-include $RULE_PATH/web-coldfusion.rules |
87 |
-include $RULE_PATH/web-iis.rules |
88 |
-include $RULE_PATH/web-frontpage.rules |
89 |
-include $RULE_PATH/web-misc.rules |
90 |
-include $RULE_PATH/web-attacks.rules |
91 |
-include $RULE_PATH/sql.rules |
92 |
-include $RULE_PATH/x11.rules |
93 |
-include $RULE_PATH/icmp.rules |
94 |
-include $RULE_PATH/netbios.rules |
95 |
-include $RULE_PATH/misc.rules |
96 |
-include $RULE_PATH/attack-responses.rules |
97 |
-include $RULE_PATH/backdoor.rules |
98 |
-include $RULE_PATH/shellcode.rules |
99 |
-include $RULE_PATH/policy.rules |
100 |
-include $RULE_PATH/porn.rules |
101 |
-include $RULE_PATH/info.rules |
102 |
-include $RULE_PATH/icmp-info.rules |
103 |
-include $RULE_PATH/virus.rules |
104 |
-# include $RULE_PATH/experimental.rules |
105 |
-include $RULE_PATH/local.rules |
106 |
+~# <i>cd /etc/snort && cp snort.conf.distrib snort.conf</i> |
107 |
</pre> |
108 |
|
109 |
-<pre caption="/etc/snort/classification.config"> |
110 |
-config classification: not-suspicious,Not Suspicious Traffic,3 |
111 |
-config classification: unknown,Unknown Traffic,3 |
112 |
-config classification: bad-unknown,Potentially Bad Traffic, 2 |
113 |
-config classification: attempted-recon,Attempted Information Leak,2 |
114 |
-config classification: successful-recon-limited,Information Leak,2 |
115 |
-config classification: successful-recon-largescale,Large Scale Information Leak,2 |
116 |
-config classification: attempted-dos,Attempted Denial of Service,2 |
117 |
-config classification: successful-dos,Denial of Service,2 |
118 |
-config classification: attempted-user,Attempted User Privilege Gain,1 |
119 |
-config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 |
120 |
-config classification: successful-user,Successful User Privilege Gain,1 |
121 |
-config classification: attempted-admin,Attempted Administrator Privilege Gain,1 |
122 |
-config classification: successful-admin,Successful Administrator Privilege Gain,1 |
123 |
- |
124 |
-# NEW CLASSIFICATIONS |
125 |
-config classification: rpc-portmap-decode,Decode of an RPC Query,2 |
126 |
-config classification: shellcode-detect,Executable code was detected,1 |
127 |
-config classification: string-detect,A suspicious string was detected,3 |
128 |
-config classification: suspicious-filename-detect,A suspicious filename was detected,2 |
129 |
-config classification: suspicious-login,An attempted login using a suspicious username was detected,2 |
130 |
-config classification: system-call-detect,A system call was detected,2 |
131 |
-config classification: tcp-connection,A TCP connection was detected,4 |
132 |
-config classification: trojan-activity,A Network Trojan was detected, 1 |
133 |
-config classification: unusual-client-port-connection,A client was using an unusual port,2 |
134 |
-config classification: network-scan,Detection of a Network Scan,3 |
135 |
-config classification: denial-of-service,Detection of a Denial of Service Attack,2 |
136 |
-config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 |
137 |
-config classification: protocol-command-decode,Generic Protocol Command Decode,3 |
138 |
-config classification: web-application-activity,access to a potentially vulnerable web application,2 |
139 |
-config classification: web-application-attack,Web Application Attack,1 |
140 |
-config classification: misc-activity,Misc activity,3 |
141 |
-config classification: misc-attack,Misc Attack,2 |
142 |
-config classification: icmp-event,Generic ICMP event,3 |
143 |
-config classification: kickass-porn,SCORE! Get the lotion!,1 |
144 |
-</pre> |
145 |
+<p> |
146 |
+You might need to comment out the blacklist and whitelist entries |
147 |
+if no lists are created. |
148 |
+</p> |
149 |
|
150 |
<p> |
151 |
More information is at the <uri |