1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
\BOOKMARK [1][-]{section.1}{Background}{}
\BOOKMARK [2][-]{subsection.1.1}{How do you pronounce the names of some of these guys who work on Snort?}{section.1}
\BOOKMARK [2][-]{subsection.1.2}{Is Fyodor Yarochkin the same Fyodor who wrote nmap?}{section.1}
\BOOKMARK [2][-]{subsection.1.3}{Where do I get more help on Snort?}{section.1}
\BOOKMARK [2][-]{subsection.1.4}{Where can I get more reading and courses about IDS?}{section.1}
\BOOKMARK [2][-]{subsection.1.5}{Does Snort handle IP defragmentation?}{section.1}
\BOOKMARK [2][-]{subsection.1.6}{Does Snort perform TCP stream reassembly?}{section.1}
\BOOKMARK [2][-]{subsection.1.7}{Does Snort perform stateful protocol analysis?}{section.1}
\BOOKMARK [2][-]{subsection.1.8}{I'm on a switched network, can I still use Snort?}{section.1}
\BOOKMARK [2][-]{subsection.1.9}{Is Snort vulnerable to IDS noise generators like ``Stick'' and ``Snot''?}{section.1}
\BOOKMARK [2][-]{subsection.1.10}{Can Snort be evaded by the use of polymorphic mutators on shellcode?}{section.1}
\BOOKMARK [2][-]{subsection.1.11}{Does Snort log the full packets when it generates alerts? }{section.1}
\BOOKMARK [1][-]{section.2}{Getting Started}{}
\BOOKMARK [2][-]{subsection.2.1}{Where do I find binary packages for BlueHat BSD-Linux-RT?}{section.2}
\BOOKMARK [2][-]{subsection.2.2}{How do I run Snort?}{section.2}
\BOOKMARK [2][-]{subsection.2.3}{Where are my log files located? What are they named?}{section.2}
\BOOKMARK [2][-]{subsection.2.4}{Why does Snort complain about /var/log/snort?}{section.2}
\BOOKMARK [2][-]{subsection.2.5}{Where's a good place to physically put a Snort sensor?}{section.2}
\BOOKMARK [2][-]{subsection.2.6}{Libpcap complains about permissions problems, what's going on?}{section.2}
\BOOKMARK [2][-]{subsection.2.7}{ I've got RedHat and ....}{section.2}
\BOOKMARK [2][-]{subsection.2.8}{Where do I get the latest version of libpcap? }{section.2}
\BOOKMARK [2][-]{subsection.2.9}{Where do I get the latest version of Winpcap?}{section.2}
\BOOKMARK [2][-]{subsection.2.10}{What version of Winpcap do I need?}{section.2}
\BOOKMARK [2][-]{subsection.2.11}{Why does building Snort complain about missing references? }{section.2}
\BOOKMARK [2][-]{subsection.2.12}{Why does building snort fail with errors about yylex and lex\137init? }{section.2}
\BOOKMARK [2][-]{subsection.2.13}{I want to build a Snort box. Will this <Insert list of hardware> handle <this much> traffic? }{section.2}
\BOOKMARK [2][-]{subsection.2.14}{What are CIDR netmasks? }{section.2}
\BOOKMARK [2][-]{subsection.2.15}{What is the use of the ``-r'' switch to read tcpdump files? }{section.2}
\BOOKMARK [1][-]{section.3}{Configuring Snort}{}
\BOOKMARK [2][-]{subsection.3.1}{How do I setup snort on a `stealth' interface? }{section.3}
\BOOKMARK [2][-]{subsection.3.2}{How do I setup a receive-only ethernet cable?}{section.3}
\BOOKMARK [2][-]{subsection.3.3}{What are HOME\137NET and EXTERNAL\137NET?}{section.3}
\BOOKMARK [2][-]{subsection.3.4}{My network spans multiple subnets. How do I define HOME\137NET?}{section.3}
\BOOKMARK [2][-]{subsection.3.5}{How do I set EXTERNAL\137NET?}{section.3}
\BOOKMARK [2][-]{subsection.3.6}{How can I run Snort on multiple interfaces simultaneously?}{section.3}
\BOOKMARK [2][-]{subsection.3.7}{My IP address is assigned dynamically to my interface, can I use Snort with it?}{section.3}
\BOOKMARK [2][-]{subsection.3.8}{I have one network card and two aliases, how can I force Snort to ``listen'' on both addresses?}{section.3}
\BOOKMARK [2][-]{subsection.3.9}{How do I ignore traffic coming from a particular host or hosts?}{section.3}
\BOOKMARK [2][-]{subsection.3.10}{How do I get Snort to log the packet payload as well as the header?}{section.3}
\BOOKMARK [2][-]{subsection.3.11}{Why are there no subdirectories under /var/log/snort for IP addresses?}{section.3}
\BOOKMARK [2][-]{subsection.3.12}{How do you get Snort to ignore some traffic?}{section.3}
\BOOKMARK [2][-]{subsection.3.13}{Why does the portscan plugin log ``stealth'' packets even though the host is in the portscan-ignorehosts list? }{section.3}
\BOOKMARK [2][-]{subsection.3.14}{What the heck is a ``Stealth scan''?}{section.3}
\BOOKMARK [2][-]{subsection.3.15}{What the heck is a SYNFIN scan?}{section.3}
\BOOKMARK [2][-]{subsection.3.16}{Which takes precedence, commandline or rule file ?}{section.3}
\BOOKMARK [2][-]{subsection.3.17}{How does rule ordering work?}{section.3}
\BOOKMARK [2][-]{subsection.3.18}{How do I configure stream4?}{section.3}
\BOOKMARK [2][-]{subsection.3.19}{Where does one obtain new/modifed rules? How do you merge them in?}{section.3}
\BOOKMARK [2][-]{subsection.3.20}{How do you get the latest Snort via cvs?}{section.3}
\BOOKMARK [2][-]{subsection.3.21}{How do I use a remote syslog machine?}{section.3}
\BOOKMARK [2][-]{subsection.3.22}{How do I build this ACID thing?}{section.3}
\BOOKMARK [1][-]{section.4}{Rules and Alerts}{}
\BOOKMARK [2][-]{subsection.4.1}{Errors loading rules files}{section.4}
\BOOKMARK [2][-]{subsection.4.2}{Snort says ``Rule IP addr \(``1.1.1.1''\) didn't x-late, WTF?''}{section.4}
\BOOKMARK [2][-]{subsection.4.3}{Snort is behind a firewall \(ipf/pf/ipchains/ipfilter\) and awfully quiet...}{section.4}
\BOOKMARK [2][-]{subsection.4.4}{Does snort see packets filtered by IPTables/IPChains/IPF/PF?}{section.4}
\BOOKMARK [2][-]{subsection.4.5}{I'm getting large amounts of <some alerts type>. What should I do? Where can I go to find out more about it? }{section.4}
\BOOKMARK [2][-]{subsection.4.6}{What about all these false alarms? }{section.4}
\BOOKMARK [2][-]{subsection.4.7}{What are all these ICMP files in subdirectories under /var/log/snort? }{section.4}
\BOOKMARK [2][-]{subsection.4.8}{Why does the program generate alerts on packets that have pass rules? }{section.4}
\BOOKMARK [2][-]{subsection.4.9}{What are all these ``ICMP destination unreachable'' alerts? }{section.4}
\BOOKMARK [2][-]{subsection.4.10}{Why do many Snort rules have the flags P \(TCP PuSH\) and A \(TCP ACK\) set? }{section.4}
\BOOKMARK [2][-]{subsection.4.11}{What are these IDS codes in the alert names? }{section.4}
\BOOKMARK [2][-]{subsection.4.12}{Snort says BACKDOOR SIGNATURE... does my machine have a Trojan? }{section.4}
\BOOKMARK [2][-]{subsection.4.13}{What about ``CGI Null Byte attacks?'' }{section.4}
\BOOKMARK [2][-]{subsection.4.14}{Why do certain alerts seem to have `unknown' IPs in ACID? }{section.4}
\BOOKMARK [2][-]{subsection.4.15}{Can priorities be assigned to alerts using ACID? }{section.4}
\BOOKMARK [2][-]{subsection.4.16}{What about `SMB Name Wildcard' alerts? }{section.4}
\BOOKMARK [2][-]{subsection.4.17}{What the heck is a SYNFIN scan? }{section.4}
\BOOKMARK [2][-]{subsection.4.18}{I am getting too many ``IIS Unicode attack detected'' and/or ``CGI Null Byte attack detected'' false positives. How can I turn this detection off? }{section.4}
\BOOKMARK [2][-]{subsection.4.19}{How do I test Snort alerts and logging?}{section.4}
\BOOKMARK [2][-]{subsection.4.20}{What is the difference between ``Alerting'' and ``Logging''?}{section.4}
\BOOKMARK [2][-]{subsection.4.21}{Are rule keywords ORed or ANDed together?}{section.4}
\BOOKMARK [2][-]{subsection.4.22}{Can Snort trigger a rule by MAC addresses?}{section.4}
\BOOKMARK [2][-]{subsection.4.23}{How can I deactivate a rule?}{section.4}
\BOOKMARK [2][-]{subsection.4.24}{How can I define an address to be anything except some hosts?}{section.4}
\BOOKMARK [2][-]{subsection.4.25}{After I add new rules or comment out rules how do I make Snort reload?}{section.4}
\BOOKMARK [2][-]{subsection.4.26}{Where do the distance and within keywords work from to modify content searches in rules?}{section.4}
\BOOKMARK [2][-]{subsection.4.27}{How can I specify a list of ports in a rule?}{section.4}
\BOOKMARK [2][-]{subsection.4.28}{How can I protect web servers running on ports other than 80?}{section.4}
\BOOKMARK [2][-]{subsection.4.29}{How do I turn off ``spp:possible EVASIVE RST detection'' alerts?}{section.4}
\BOOKMARK [2][-]{subsection.4.30}{Is there a private SID number range so my rules don't conflict?}{section.4}
\BOOKMARK [2][-]{subsection.4.31}{How long can address lists, variables, or rules be?}{section.4}
\BOOKMARK [2][-]{subsection.4.32}{What do the numbers \(ie: [116:56:1]\) in front of a Snort alert mean?}{section.4}
\BOOKMARK [1][-]{section.5}{Getting Fancy}{}
\BOOKMARK [2][-]{subsection.5.1}{I hear people talking about ``Barnyard''. What's that?}{section.5}
\BOOKMARK [2][-]{subsection.5.2}{How do I process those Snort logs into reports?}{section.5}
\BOOKMARK [2][-]{subsection.5.3}{How do I log to multiple databases or output plugins?}{section.5}
\BOOKMARK [2][-]{subsection.5.4}{How can I test Snort without having an Ethernet card or a connection to other computers? }{section.5}
\BOOKMARK [2][-]{subsection.5.5}{How to start Snort as a win32 service? }{section.5}
\BOOKMARK [2][-]{subsection.5.6}{Is it possible with snort to add a ipfilter/ipfw rule to a firewall? }{section.5}
\BOOKMARK [2][-]{subsection.5.7}{What is the best way to use Snort to block attack traffic?}{section.5}
\BOOKMARK [2][-]{subsection.5.8}{Snort complains about the ``react'' keyword...}{section.5}
\BOOKMARK [2][-]{subsection.5.9}{How do I get Snort to e-mail me alerts?}{section.5}
\BOOKMARK [2][-]{subsection.5.10}{How do I log a specific type of traffic and send alerts to syslog?}{section.5}
\BOOKMARK [2][-]{subsection.5.11}{Is it possible to have Snort call an external program when an alert is raised?}{section.5}
\BOOKMARK [2][-]{subsection.5.12}{How can I use Snort to log HTTP URLs or SMTP traffic?}{section.5}
\BOOKMARK [2][-]{subsection.5.13}{How can I move data from the snort db to snort\137archive db like ACID does?}{section.5}
\BOOKMARK [2][-]{subsection.5.14}{What are some resources that I can use to understand more about source addresses logged and where they are coming from?}{section.5}
\BOOKMARK [2][-]{subsection.5.15}{How do I understand this traffic and do IDS alert analysis?}{section.5}
\BOOKMARK [2][-]{subsection.5.16}{How can I examine logged packets in more detail?}{section.5}
\BOOKMARK [1][-]{section.6}{Problems}{}
\BOOKMARK [2][-]{subsection.6.1}{ I think I found a bug in Snort. Now what?}{section.6}
\BOOKMARK [2][-]{subsection.6.2}{SMB alerts aren't working, what's wrong? }{section.6}
\BOOKMARK [2][-]{subsection.6.3}{Snort says ``Garbage Packet with Null Pointer discarded!'' Huh?}{section.6}
\BOOKMARK [2][-]{subsection.6.4}{Snort says ``Ran Out Of Space.'' Huh?}{section.6}
\BOOKMARK [2][-]{subsection.6.5}{My ACID db connection times-out when performing long operations \(e.g. deleting a large number of alerts\).}{section.6}
\BOOKMARK [2][-]{subsection.6.6}{Why does ACID keep changing my sensor number and how do I keep it consistent?}{section.6}
\BOOKMARK [2][-]{subsection.6.7}{Why does snort report ``Packet loss statistics are unavailable under Linux?''}{section.6}
\BOOKMARK [2][-]{subsection.6.8}{My /var/log/snort directory gets very large...}{section.6}
\BOOKMARK [2][-]{subsection.6.9}{Why does the `error deleting alert' message occur when attempting to delete an alert with ACID? }{section.6}
\BOOKMARK [2][-]{subsection.6.10}{ACID appears to be broken in Lynx }{section.6}
\BOOKMARK [2][-]{subsection.6.11}{I am getting `snort [pid] uses obsolete \(PF\137INET, SOCK\137PACKET\)' warnings. What's wrong?}{section.6}
\BOOKMARK [2][-]{subsection.6.12}{On HPUX I get device lan0 open: recv\137ack: promisc\137phys: Invalid argument}{section.6}
\BOOKMARK [2][-]{subsection.6.13}{Snort is dying with a `can not create file' error and I have plenty of diskspace. What's wrong?}{section.6}
\BOOKMARK [2][-]{subsection.6.14}{I am using Snort on Windows and receive an ``OpenPcap\(\) error upon startup: ERROR: OpenPcap\(\) device open: Error opening adapter'' message. What's wrong? }{section.6}
\BOOKMARK [2][-]{subsection.6.15}{Snort is not logging to my database}{section.6}
\BOOKMARK [2][-]{subsection.6.16}{Portscans are not being logged to my database }{section.6}
\BOOKMARK [2][-]{subsection.6.17}{Snort is not logging to syslog}{section.6}
\BOOKMARK [2][-]{subsection.6.18}{I am still getting bombarded with spp\137portscan messages even though the IP that I am getting the portscan from is in my \044DNS\137SERVERs var }{section.6}
\BOOKMARK [2][-]{subsection.6.19}{Why does chrooted Snort die when I send it a SIGHUP? }{section.6}
\BOOKMARK [2][-]{subsection.6.20}{My snort crashes, how do I restart it?}{section.6}
\BOOKMARK [2][-]{subsection.6.21}{Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub?}{section.6}
\BOOKMARK [2][-]{subsection.6.22}{Trying to install snort it says: ``bad interpreter: No such file or directory''}{section.6}
\BOOKMARK [2][-]{subsection.6.23}{I'm not seeing any interfaces listed under Win32.}{section.6}
\BOOKMARK [2][-]{subsection.6.24}{It's not working on Win32, how can I tell if my problem is Snort or WinPcap?}{section.6}
\BOOKMARK [2][-]{subsection.6.25}{I just downloaded a new ruleset and now Snort fails, complaining about the rules.}{section.6}
\BOOKMARK [2][-]{subsection.6.26}{How do I speed up ACID and MySQL?}{section.6}
\BOOKMARK [2][-]{subsection.6.27}{Why am I seeing so many ``SMTP RCPT TO overflow'' alerts ?}{section.6}
\BOOKMARK [2][-]{subsection.6.28}{I'm getting lots of *ICMP Ping Speedera*, is this bad?}{section.6}
\BOOKMARK [2][-]{subsection.6.29}{Why are my unified alert times off by +/- N hours?}{section.6}
\BOOKMARK [2][-]{subsection.6.30}{I try to start Snort and it gives an error like ``ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc.'' What can I do to fix this?}{section.6}
\BOOKMARK [1][-]{section.7}{Development}{}
\BOOKMARK [2][-]{subsection.7.1}{How do you put Snort in debug mode? }{section.7}
\BOOKMARK [1][-]{section.8}{Miscellaneous}{}
\BOOKMARK [2][-]{subsection.8.1}{What's this about a Snort drinking game?}{section.8}
|
