Prick
10.10.01, 03:15
zum Test habe ich snort wie folgt aufgerufen:
snort -c /etc/scan-lib -l /var/log/snort
ich erhalte folgenden fehlermeldung (es sind wohl die rules falsch):
ERROR /etc/snort/scan-lib (4) => invalid Port: (msg
------------------------
so sieht die liste der rules (nur die scan-lib) aus:
# this library is for hostile scans and protocol pokes
# look for stealth port scans/sweeps
alert tcp any any -> $HOME_NET any (msg:"SYN FIN Scan"; flags: SF;)
alert tcp any any -> $HOME_NET any (msg:"FIN Scan"; flags: F;)
alert tcp any any -> $HOME_NET any (msg:"NULL Scan"; flags: 0;)
alert tcp any any -> $HOME_NET any (msg:"XMAS Scan"; flags: FPU;)
alert tcp any any -> $HOME_NET any (msg:"Full XMAS Scan"; flags: SRAFPU;)
alert tcp any any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping!";)
# detect fingerprinting attempts
alert tcp any any -> $HOME_NET any (msg:"Possible NMAP Fingerprint attempt"; flags: SFPU;)
alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;)
# Windows Traceroutes
alert icmp any any -> $HOME_NET any (msg:"Windows Traceroute"; TTL: 1; itype: 8;)
# Standard Traceroutes
alert udp any any -> $HOME_NET any (msg:"Traceroute"; TTL: 1;)
# Watch for WinGate Scans
alert tcp any any -> $HOME_NET 1080 (msg:"WinGate 1080 Attempt"; flags: S;)
alert tcp any any -> $HOME_NET 8080 (msg:"WinGate 8080 Attempt"; flags: S;)
----------------------
wäre nett, wenn mir jemand sagen könnte was daran falsch ist. danke
snort -c /etc/scan-lib -l /var/log/snort
ich erhalte folgenden fehlermeldung (es sind wohl die rules falsch):
ERROR /etc/snort/scan-lib (4) => invalid Port: (msg
------------------------
so sieht die liste der rules (nur die scan-lib) aus:
# this library is for hostile scans and protocol pokes
# look for stealth port scans/sweeps
alert tcp any any -> $HOME_NET any (msg:"SYN FIN Scan"; flags: SF;)
alert tcp any any -> $HOME_NET any (msg:"FIN Scan"; flags: F;)
alert tcp any any -> $HOME_NET any (msg:"NULL Scan"; flags: 0;)
alert tcp any any -> $HOME_NET any (msg:"XMAS Scan"; flags: FPU;)
alert tcp any any -> $HOME_NET any (msg:"Full XMAS Scan"; flags: SRAFPU;)
alert tcp any any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping!";)
# detect fingerprinting attempts
alert tcp any any -> $HOME_NET any (msg:"Possible NMAP Fingerprint attempt"; flags: SFPU;)
alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;)
# Windows Traceroutes
alert icmp any any -> $HOME_NET any (msg:"Windows Traceroute"; TTL: 1; itype: 8;)
# Standard Traceroutes
alert udp any any -> $HOME_NET any (msg:"Traceroute"; TTL: 1;)
# Watch for WinGate Scans
alert tcp any any -> $HOME_NET 1080 (msg:"WinGate 1080 Attempt"; flags: S;)
alert tcp any any -> $HOME_NET 8080 (msg:"WinGate 8080 Attempt"; flags: S;)
----------------------
wäre nett, wenn mir jemand sagen könnte was daran falsch ist. danke