[Sysadmins] [Sysadmins Snort и его настройки .]
бОДТіК рТЕДЛП
=?iso-8859-1?q?andrewnbg_=CE=C1_ukr=2Enet?=
Сб Май 6 11:19:26 MSD 2006
> Message: 2
> Date: Fri, 5 May 2006 17:07:05 +0300
> From: "Dmitriy L. Kruglikov" <Dmitriy.Kruglikov на orionagro.com.ua>
> Subject: Re: [Sysadmins] [Sysadmins Snort и его настройки.]
> To: sysadmins на lists.altlinux.org
> Message-ID: <20060505170705.4945f065 на shadow.orionagro.com.ua>
> Content-Type: text/plain; charset=KOI8-R
>
> On Fri, 05 May 2006 16:48:10 +0400
> andrewnbg wrote:
>
> > [root на ser mysql]# /etc/rc.d/init.d/snortd status
> > snort is stopped
> Поприбивай процессы...
> Потом /etc/rc.d/init.d/snortd start
> И посмотри опять ...
>
Попробовал ... результат тот же.
Может не правильно сконфигурирован snort.conf?
Вот мои настройки:
192.168.0.0.24 - внутренняя сеть
192.168.1.0.24 - городская сеть с выходом в инет.
var HOME_NET [192.168.0.0/24,192.168.1.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.1
88.9.0/24]
var RULE_PATH /etc/snort
# Configure the snort decoder
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all \
ports { 80 8080 }
# are actually running this type of service. If not, change the ports or turn
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output database: log, mysql, user=andrew password=west72rn dbname=snort host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include threshold.conf
Подробная информация о списке рассылки Sysadmins