Windoofsklicker
29.06.04, 20:54
Hallo Forum,
ich habe mal wieder Snort ausgegraben und folgendes "Problem":
Snort an sich funktioniert sehr gut, allerdings habe ich viele "false positives" durch Zugriffe auf http oder pop3 Server von meinem Rechner aus, die als Portscan erkannt werden.
Nun habe ich im I-Net gefunden, dass die Zeile
preprocessor portscan-ignorehosts: [192.168.0.0/24,$ppp0_ADDRESS]
nach der Zeile
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
stehen muss. Das ist der Fall. Was habe ich übersehen?
<edit> anbei noch die snort.conf </edit>
var HOME_NET [192.168.0.0/24,$ppp0_ADDRESS]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 192.168.0.1
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS [192.168.0.1,192.168.0.5]
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
#preprocessor portscan-ignorehosts: 192.168.0.0/24
preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
preprocessor portscan-ignorehosts: [192.168.0.0/24,$ppp0_ADDRESS]
include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
ich habe mal wieder Snort ausgegraben und folgendes "Problem":
Snort an sich funktioniert sehr gut, allerdings habe ich viele "false positives" durch Zugriffe auf http oder pop3 Server von meinem Rechner aus, die als Portscan erkannt werden.
Nun habe ich im I-Net gefunden, dass die Zeile
preprocessor portscan-ignorehosts: [192.168.0.0/24,$ppp0_ADDRESS]
nach der Zeile
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
stehen muss. Das ist der Fall. Was habe ich übersehen?
<edit> anbei noch die snort.conf </edit>
var HOME_NET [192.168.0.0/24,$ppp0_ADDRESS]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 192.168.0.1
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS [192.168.0.1,192.168.0.5]
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
#preprocessor portscan-ignorehosts: 192.168.0.0/24
preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
preprocessor portscan-ignorehosts: [192.168.0.0/24,$ppp0_ADDRESS]
include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules