4.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?A: If you are dumping the data part of the packet, review it.   These rules are known to have high false rates as most of them   are just based on numeric port numbers.4.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: What about "CGI Null Byte attacks"?A: It's a part of the http preprocessor. Basically, if the http decoding    routine finds a %00 in an http request, it will alert with this message.    Sometimes you may see false positives with sites that use cookies with   urlencoded binary data, or if you're scanning port 443 and picking up    SSLencrypted  traffic . If you're logging alerted packets you can  check   the  actual string that caused the alert.  Also, the unicode alert is   subject to  the same false positives with cookies and SSL. Having the packet   dumps is the  only way to tell for sure if you have a real attack on your   hands, but this  is true for any content-based alert.4.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why do certain alerts seem to have 'unknown' IPs in ACID? A: The Snort database plug-in only logs packet information into the database   when an alert is triggered by a rule (signature). Therefore, since alerts   generated by pre-preprocessors such as portscan and mini-fragment have no   corresponding rules, no packet information is logged beyond an entry   indicating their occurance. As a consequence, ACID cannot display any   packet-level (e.g. IP address) information for these alerts.    For these particular alerts, certain statistics may show zero unique IP   addresses, list the IP address as 'unknown', and will not list any packet   information when decoding the alert. 4.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Can priorities be assigned to Alerts using ACID? A: The quick answer to this question is no. ACID is at the mercy of the   underlying database, since Snort doesn't assign priorities, ACID does not   have priorities. Nevertheless, there are several work-arounds:   It is possible to enforce priorities of sort at the database level by  writing alerts of different severity to separate databases. For example,  critical alerts such as buffer overflows can be written to one database,  while scan alerts can be written to another. Then load two different versions  of ACID, each pointing to a different instance of the database.   With manual intervention Alert Groups (AG) can be used to assign priority.  Essentially, this strategy entails creating an AG for each severity level and  manually moving the alerts as they arrive into the appropriate group. 4.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: What about 'SMB Name Wildcard' alerts?A: Whitehats IDS177   http://dev.whitehats.com/cgi/test/new.pl/Show?_id=netbios-name-query   specifies traffic coming from *outside* of your local network.  Allowing    netbios traffic over public networks is usually very insecure.   If the rule you are using also refers to ingres traffic only, then it   would explain why you don't see a lot of false positives.  For anyone   reading that does see a lot of false postiives -  if you change your rule   to reflect the source address as being !$HOME (or whatever variable you   use to represent your internal network), then you should see most of the   false positives go away.   The value of this chack is that a default administrative share C$ ADMIN$ or   some such has been accessed.  This shouldn't happen in normal use - when   people want to share files they should be implicitely defining the shares   and ACL.  4.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: What the heck is a SYNFIN scan?A: SYNFIN scans got their name because there are both the   SYN and FIN flags set. 4.17 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte   attack detected" false positives.  How can I turn this detection off?A: These messages are produced by the http_decode preprocessor.  If you wish   to turn these checks off, add -unicode or -cginull to your http_decode   preprocessor line respectively.	preprocessor http_decode: 80 8080 -unicode -cginull   Your own internal users normal surfing can trigger these alerts in the   preprocessor. Netscape in particular has been known to trigger them.   Instead of disabling them,try a BPF filter to ignore your outbound http   traffic such as:   snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80)   This has worked very well for us over a period of 5-6 months and Snort is   still very able to decode actual and dangerous cgi null and unicode attacks   on our public web servers.4.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I test snort alerts and logging?A: Try a rule that will fire off all the time like:   alert tcp any any -> any any (msg:"TCP traffic";)    Also take a look at sneeze at http://snort.sourceforge.net/sneeze-1.0.tar   Sneeze is a false positive generator that reads snort signatures and generates   packets that will trigger the rules.--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--***************************************Section 5: GETTING FANCY***************************************5.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I process those snort logs into HTML reports?A1: One popular solution is SnortSnarf, a tool for producing HTML     out of snort alerts for navigating through these alerts     (and doing a whole lot more).     http://www.silicondefense.com/snortsnarf/A2: If you want to set up logging to a database you could try ACID    Some documentation describing the current ACID functionality:    http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html5.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I log to multiple databases?A: You can build redundancy by using multiple output plugins. Here are   some examples.   Multiple instantiations of the database plugin:	output log_database: mysql, dbname=snort host=localhost user=xyz	output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz   Remote database and local tcpdump:	output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz 	output log_tcpdump: /var/log/snort.tcpdump   Then you can replay the tcpdump file through snort to recreate the    database.5.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How can I test snort without having an ethernet card or a connection to   other computers? A: You have to use routing between two dummy devices: 	modprobe -a dummy (The dummy device has to be build by the kernel) 	ifconfig dummy0 192.168.0.1 	ifconfig dummy0:0 192.168.0.2 	telnet 192.168.0.3 12345   It's important that the second IP is on the same interface and not e.g.   dummy1 or dummy2 and that the IP you try to access is *not* one of those you   put on the interfaces. Use snort's ability to hear in promiscious mode on an   IP address range. (HOMEDIR=192.168.0.0/16)5.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How to start snort as a win32 service?A: Service support has been added to snort-1.6.3-patch2   You can download the binary from:   http://www.datanerds.net/~mike/dev/snort-1.6.3-patch2-service.zip      Right now there is only a binary available.       Snort Service FAQ:      1) Use must use complete paths for everything. This means EVERYTHING.   Command line, configuration files, everything. Examples:   All include statements must be full paths. I.E. 'include scan-lib'   is WRONG. 'include C:\snort\scan-lib' is CORRECT.   All Command line options must be full paths. I.E. 'snort.exe -l   ./log' is WRONG. 'snort.exe -l C:\snort\log' is CORRECT.      2) YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND   LINE(-l switch). If you do not set a logging directory the service   will not start and, on NT/Win2k,  your bootup will hang for about 4   minutes.      3) How to install the snort service.   Run snort like you would via command line but add a '-I'. I.E.   'snort.exe -c snort.conf -l ./log -h 192.168.1.0/24 -s' turns into   'snort.exe -c C:\snort\snort.conf -l C:\snort\log -h 192.168.1.0/24 -s   -I'   YOU MUST USE COMPLETE PATHS FOR ALL FILES/DIRECTORIES.   NOTE: You do NOT need to add the -D option to the command line when   you install the service. If -D is not there it will automatically be   added.      4) How to remove the snort service.   Run 'snort -R'.      5) Does the Service run on 9x/ME.   Yes. It uses a horrible hack to get it to work. Because of this when   you boot up you will see a black command prompt window for about 5   seconds before snort goes to the background. This service mode is   considered a horrible hack and probably will not work in every   situation.      6) What functions are support by the NT service.   Start and Stop currently. Pause and Resume will be implemented later   (Code already exists but not working properly).      Any questions, comments, flames please email mike@datanerds.net   5.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?A: Yes, with additional software in the conrib directory. But this   can be dangerous and is not recommended unless you know what you're   doing.   Guardian is available and is part of the contrib directory in   the tarball distribution.   Guardian is a perl script which uses snort to detect attacks,   and then uses IPchains to deny any further attacks.   The Guardian webpage can be found at:   http://www.chaotic.org/~astevens/Guardian/index.html   or you can use the mirror,   http://www.cyberwizards.com/~midnite/Guardian/index.html   But one caveat... running external binaries can also be a performance   limiter and your should read the caution below...   Christopher Cramer wrote:   >   > I'm sure this has been mentioned before in similar discussions, but this   > feels like a _really_ bad idea.  What if the bad guys realize what is   > going on and make use of your blocking method as a DoS attack.  All one   > would have to do start sending a series of triggering packets with spoofed   > IP addresses.   >   > Since I am no longer interested in breaking into your site, but rather   > making your life hell, I don't worry about the resulting data getting back   > to me.  All I have to do is start proceeding up a list of IP addresses   > that I think you should no longer be able to talk to.  When you come in   > the next morning, you find that you can no longer access the world.   >   > Just my $0.02.   >                            Danger Will Robinson: Conventional wisdom says that    auto-blocking is inherently dangerous.    However, for those that like to live at the    bleeding edge of tech (and the separate   process scanning logs and processing   firewall commands sounds like a good    way to do this...):   Please remember to include an exclusion list and put    on them important sites such as root servers, other    important dns servers (yours, and important sites for    your users), and in general any host you don't want    to receive phone calls about being DoSed when   they are spoofed - usually inconveniently like that    first time you actually manage to get on vacation....   (i.e. imagine "Crisis: the ceo can't reach his favorite    redlite.org game.... you have to fly back from the    carribean asap....")   5.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Snort complains about the "react" keyword...A: Rerun configure with the --enable-flexresp option and rebuild/reinstall.5.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I get snort to e-mail me alerts?A: Log to syslog and use swatch or logcheck.5.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: How do I log a specific type of traffic and send alerts to syslog?A: An example addition to snort.conf: ruletype redalert  {    type alert    output alert_syslog: LOG_LOCAL2    output database: alert, postgresql, user=user dbname=snort password=pwd  }[...snip...]Go into your local.rules and make sure you have something like: redalert tcp any any -> any any (msg:"REDRUM REDRUM"; content:"redalerttest")Then just do a telnet and type 'redalerttest'.  Presto, alerts to both. 5.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Is it possible to have snort call an external program when an alert is    raised?      Calling another program from within your main IDS loop is   generally a bad idea.  Having your IDS block while waiting   for <something> of dubious reliability and origin nevermind   timing while the packets are piling up is inviting packet loss.   Especially with the already oh-so-consistent "Gee I think   I'll go away for a minute" rock steady even cpu slicing   Windows gives you (that's sarcasm, sorry). Go  with the   second approach.... process invokation is expensive on    Windows.   You want to keep that IDS task humming and munching