I have been using snort-mysql with acidlab for intrusion monitoring of the
computers on my network.
It has been working great.
I've also been using bleedingsnort.org for some updated rule sets for
virus threats and similar.
I have been unable to configure the portscan detection to work correctly.
My software versions are:
snort-mysql:2.1.2-2
acidlab:0.9.6b20-2
Could someone please send me the configuration they used to get the
portscanning to work correctly?
I've played around with the examples and similar and am not sure why it is
not working correctly.
The open source book:
"bruce peren's open source series: Advanced IDS techniques using
snort,apache, mysql php, and acidlab"
does not cover this.
my snort.conf file:
var HOME_NET
[xx.xx.195.0/24,xx.xx.196.0/24,xx.xx.197.0/24,xx.xx.198.0/24,xx.xx.199.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0
/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
30000 server-watchnet $HOME_NET server-ign
ore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20 scanne
r-sliding-scale-factor 0.50 scanner-fixed-threshold 15
scanner-sliding-threshold 40 scanner-fixed-window 15 scoreb
oard-rows-scanner 30000 src-ignore-net xx.xx.199.62 dst-ignore-net
[xx.0.0.0/30] alert-mode once output-mode msg tcp-penalties on
output log_tcpdump: snort.log
output database: log, mysql, user=xx password=xxx dbname=snort host=localhost
output database: alert, mysql, user=xx password=xxx dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding.rules
include threshold.conf
--
--Luke CS Sysadmin, Montana State University-Bozeman
