- 论坛徽章:
- 0
|
大家帮我看下snort的HttpInspect在base里面没有数据,大家帮我看下,下面是snort 启动信息.
[root@mail snort]# snort -c /etc/snort/snort.conf -g snort -u snort -i eth0 -l /var/log/snort
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
Var 'HOME_NET' redefined
PortVar 'HTTP_PORTS' defined : [ 80 2301 3128 8000 8080 8180 8888]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535]
PortVar 'ORACLE_PORTS' defined : [ 1521]
PortVar 'AUTH_PORTS' defined : [ 113]
PortVar 'DNS_PORTS' defined : [ 53]
PortVar 'FINGER_PORTS' defined : [ 79]
PortVar 'FTP_PORTS' defined : [ 21]
PortVar 'IMAP_PORTS' defined : [ 143]
PortVar 'IRC_PORTS' defined : [ 6665:6669 7000]
PortVar 'MSSQL_PORTS' defined : [ 1433]
PortVar 'NNTP_PORTS' defined : [ 119]
PortVar 'POP2_PORTS' defined : [ 109]
PortVar 'POP3_PORTS' defined : [ 110]
PortVar 'SUNRPC_PORTS' defined : [ 111 32770:32779]
PortVar 'RLOGIN_PORTS' defined : [ 513]
PortVar 'RSH_PORTS' defined : [ 514]
PortVar 'SMB_PORTS' defined : [ 139 445]
PortVar 'SMTP_PORTS' defined : [ 25]
PortVar 'SNMP_PORTS' defined : [ 161]
PortVar 'SSH_PORTS' defined : [ 22]
PortVar 'TELNET_PORTS' defined : [ 23]
PortVar 'MAIL_PORTS' defined : [ 25 143 465 691]
PortVar 'SSL_PORTS' defined : [ 25 443 465 636 993 995]
Detection:
Search-Method = AC-BNFA
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 0
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
Track ICMP sessions: INACTIVE
Stream5 TCP Policy config:
Reassembly Policy: WINDOWS
Timeout: 30 seconds
Min ttl: 1
Options:
Static Flushpoint Sizes: YES
Reassembly Ports:
21 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
80 client (Footprint)
110 client (Footprint)
111 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
445 client (Footprint)
465 client (Footprint)
513 client (Footprint)
691 client (Footprint)
1433 client (Footprint)
1521 client (Footprint)
2100 client (Footprint)
Stream5 UDP Policy config:
Timeout: 30 seconds
Options:
Ignore Any -> Any Rules: YES
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 2301 3128 8000 8080 8180 8888
Flow Depth: 1460
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: NO
%U Encoding: YES alert: YES
Bare Byte: YES alert: NO
Base36: OFF
UTF 8: YES alert: NO
IIS Unicode: YES alert: NO
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: YES
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
SERVER: 192.168.1.14
Server profile: All
Ports: 80 3128 8080
Flow Depth: 0
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 300
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: OFF
Bare Byte: OFF
Base36: OFF
UTF 8: OFF
IIS Unicode: OFF
Multiple Slash: OFF
IIS Backslash: OFF
Directory Traversal: OFF
Web Root Traversal: OFF
Apache WhiteSpace: OFF
IIS Delimiter: OFF
IIS Unicode Map: NOT CONFIGURED
Non-RFC Compliant Characters: 0x00
Whitespace Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: High/Experimental
Memcap (in bytes): 10000000
Number of Nodes: 36900
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: YES
TELNET CONFIG:
Ports: 23
Are You There Threshold: 20
Normalize: YES
Detect Anomalies: YES
FTP CONFIG:
FTP Server: default
Ports: 21 2100
Check for Telnet Cmds: OFF
Identify open data channels: NO
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: NO
Max Response Length: 200
SMTP Config:
Ports: 25 465 691
Inspection Type: Stateful
Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XSTA XTRN XUSR PIPELINING CHUNKING DSN XQUEU
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: Unlimited
Max Specific Command Line Length:
ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
XLICENSE:246 X-LINK2STATE:246 XSTA:246 XTRN:246 XUSR:246
PIPELINING:246 CHUNKING:246 DSN:246 XQUEU:246
Max Header Line Length: 1000
Max Response Line Length: 512
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
SSH config:
Autodetection: DISABLED
GOBBLES Alert: ENABLED
SSH1 CRC32 Alert: ENABLED
Server Version String Overflow Alert: ENABLED
Protocol Mismatch Alert: ENABLED
Bad Message Direction Alert: ENABLED
Bad Payload Size Alert: ENABLED
Unrecognized Version Alert: ENABLED
Max Encrypted Packets: 20
MaxClientBytes: 19600 (Default)
Ports:
22
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1958 Snort rules read
1958 detection rules
0 decoder rules
0 preprocessor rules
1958 Option Chains linked into 58 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 765 2 0 0
| dst 1042 37 0 0
| any 2 2 108 0
| nc 4 1 82 0
| s+d 0 0 0 0
+----------------------------------------------------------------------------
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Verifying Preprocessor Configurations!
Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'sslv3.client_hello.request' is checked but not ever set.
15 out of 512 flowbits in use.
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = 192.168.1.14
database: sensor id = 2
database: schema version = 107
database: using the "log" facility
[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances : 59
| Patterns : 2159
| Pattern Chars : 56862
| Num States : 43589
| Num Match States : 2009
| Memory : 860.68Kbytes
| Patterns : 97.64K
| Match Lists : 189.69K
| Transitions : 568.28K
+-------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.8.0.1 (Build 72)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 7.4 2007-09-21
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_SMTP Version 1.0 <Build 7>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10>
Preprocessor Object: SF_DNS Version 1.0 <Build 2>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 4>
Using PCAP_FRAMES = max
[ 本帖最后由 heiheijian 于 2007-12-24 11:24 编辑 ] |
|