Snort is a network Intrusion Detection System (IDS) application that analyzes network traffic for matches against user defined rule sets and performs several actions based upon its network analysis. Snort decodes application-layer packet contents, allowing it to detect thousands of network attack signatures, including such things as buffer overflows, fragmentation bombs, denial-of-service activity, and stealth scans.
I was inspired by the book: INTRUSION DETECTION with SNORT written by Rafeeq UR Rehman and scripted an Enterprise snort solution based on this book. A federation of NST probe sensors can be quicky setup for IDS using snort throughout an enterprise network computing envrionment as shown in Figure 6.5, “Network Enterprise Diagram”. Most of the advanced IDS techniques and integration with recommended network applications by Rafeeq: Apache, MySQL, php, and ACID are automatically setup and configured for use with a single script.
The setup_snort script found in the "/usr/local/snort" directory is the primary means to run snort on a NST probe system. NST's Web User Interface found in Chapter 2, The Web User Interface (WUI) can also be used to launch this script. Information on how to start snort via a Web user interface can be found in the section called “Snort In Two Clicks”.
There are 3 operational "setup_snort" modes that one can chose with this script.
This mode ("-r") sets up a standalone Snort instance with local MySQL database and ACID (Analysis Console for Intrusion Databases) support.
This mode ("-r" and "-d") sets up a standalone Snort instance and uses a remote MySQL database engine for archiving and requesting Snort IDS events.
This mode ("-c") creates a "collector" for remote Snort security and alert incident archiving. An enterprise configuration of remote Snort sensors can be deployed with the "collector" serving as a backend Snort database engine and console access to security incidents for the network security administrator using ACID. Permanent storage for Snort incidents can be sent to local hard disk or a networked file system.
Note:
If a NST probe was originally configured as a Snort "collector" only, one can add Snort IDS capability to the probe by ruuning the "setup_snort" script a second time with the operational mode one setting described above. The MySQL database engine associated with the Snort "collector" operation will be automatically detected and used.
The help information for the Snort setup script:
/usr/local/snort/setup_snort is shown
below:
[root@probe root]#/usr/local/snort/setup_snort -hUsage: setup_snort -r <local | remote [-rs <URL: rules site]> [-i <interface>] [-d <database hostname>] [-p <database port>] [-s <sensor name>] [-a <full | fast>] [-rd <RAM device>] [-rds <RAM disk size (MB)>] [-rmp <RAM mount point>] [-rdir <runtime directory>] [-v] [-h] setup_snort -c [-rd <RAM device>] [-rds <RAM disk size (MB)>] [-rmp <RAM mount point>] [-rdir <runtime directory>] [-v] [-h] The first form of this script "[-r]" is used to setup an instance of the Snort Network Intrusion Detection System (IDS) on a NST probe system. A Snort session can be used with any configured interface [-i <interface>] and all associated alert and log events redirected to a MySQL database server on host [-d <database name>]. The default setting is to create a 64MB RAM Disk at mount point: "/mnt/ram4" for MySQL, ACID, and Snort data files. If the database hostname [-d <database name>] is "localhost" (i.e. the default value), a MySQL database server will be configured and started on this NST probe system for immediate Snort usage. The PHP-based analysis engine: ACID (Analysis Console for Intrusion Databases) will also be configured to search and process the MySQL database for security incidents generated by Snort. End user access to ACID is via the Apache Web Server. One needs to make sure that an instance of Apache is running on the NST probe system for access to ACID generated Web pages. The following are 2 examples on how to get access to the ACID Web interface: Example 1: Local Access (IP Address "localhost": 127.0.0.1) NST probe running Snort, MySQL, and ACID Interface: "Firefox" browser using X Windows or VNC client, or the "elinks" browser using the console or a SSH session. URL: http://127.0.0.1/acid Example 2: Remote Access (IP Address of NST Probe running Snort, MySQL, and ACID: 10.21.33.44) Interface: Any Web browser that supports SSL URL: https://10.21.33.44/acid The second form of this script "[-c]" can also be used to setup and run a backend MySQL database server engine taylored with the ACID analysis engine for the collection of remote Snort security incidents and log information (see the [-c] parameter below). A federation of remote Snort IDS probes can populated throughout a Enterprise network computing evironment and be configured to send any security incidents and log information to this database server. -r <local | remote> | --rules <local | remote> The rules parameter is require for determining which Snort rule set source to use: local - a copy of the rules that came with the NST distribution will be transferred to read/write Snort runtime directory. Use these method if one does not have access to the internet. remote - use "wget" to update the latest Snort rules from default site: http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz -rs <URL: rules site> | --rules-site <URL: rules site> Optional setting to change the default location of the remote "-r" rule site. Use a URL formatted site name for the alternate Snort rules site. -i <interface name> | --interface <interface name> Interface name for which Snort will perform intrusion detection: Ex: "eth1". Default: "eth0" -d <database hostname> | --db_hostname <database hostname> This parameter sets the MySQL database hostname for alert events and log information collection. It can be either an IP address or a name resolved through the naming service "/etc/hosts" file or DNS. ** Note: If the name of the database hostname is resolved to a remote host, a MySQL database instance will not be started on this NST probe system. Default: "localhost" -p <database port> | --db_port <database port> This sets the database port number that the MySQL server is listening on. Default: "3306" -c | --collector_mode This parameter is used to setup a MySQL database for the collection of remote Snort IDS probe's security alert events and log information. This parameter is useful when setting up an IDS architecture consisting of a federation of Snort probe sensors with a backend MySQL server and ACID analysis engine. -s <sensor name> | --sensor_name <sensor name> Use this parameter to identify the sensor name used by this Snort instance. This is useful when many Snort sensors are logging to the same MySQL database. It will be easier to distinguish between multiple sensors when using the ACID tool for viewing alert and logged events. ** Note: Do not use spaces within the <sensor name> Ex: "Sensor 1" => "Sensor_1" Default: "IP address of probe interface: eth0" -a <full | fast> | --alert_detail <full | fast> Used to set the detail of Snort alert and log events to the data base. full - All alert information for an event will be logged. fast - An abbreviated version of the alert event will be logged. Default: "full" -rd <RAM device> | --ram-device <RAM device> Use this optional parameter to change the default RAM device that will be used for this instance of Snort, the associated MySQL database, and ACID data files. Available RAM device names on NST: "/dev/ram0 - /dev/ram9". A cooresponding mount point: "/mnt/ram0 - /mnt/ram9" will be automatically selected for the RAM device. One can use the following optional parameter: "-rmp <mount point>" to change mount point location for the selected RAM device. Default: "/dev/ram4" -rds <RAM dsk size (MB)> | --ram-disk-size <RAM disk size (MB)> Use this optional parameter to change the default RAM disk size in MegaBytes (MB) that will be used for this instance of Snort, the associated MySQL database, and ACID data files. Default: "64" ** Note: Use a reasonable value and make sure you to not exceed your available system RAM. The system memory utility: "free" can be used to help make your determination. -rmp <mount point> | --ram-mount-point <mount point> Use this optional parameter to change the selected RAM device's: "-rd <RAM device>" mount point for this instance of Snort, the associated MySQL database, and ACID data files. Default: "/mnt/ram4" -rdir <runtime directory> | --runtime-directory <runtime directory> One can use this optional parameter to force the "setup_snort" script to use an existing directory on a locally attached disk drive or a mounted network file system and bypass the creation of a RAM disk. To do this, make sure the directory initially exists prior to running this script. Example: Mount Point: "/dev/hdc1" mount at: "/probe1" type ext3 (rw) Directory: "/probe1/snort" Use: "-rdir /probe1/snort" to create the top level runtime directory structure for this instance of Snort, the associated MySQL database, and ACID data files. Directory Structure: Snort => /probe1/snort/snort mysql => /probe1/snort/var/lib/mysql www(ACID) => /probe1/snort/var/www/html/acid -v | --verbose This optional switch will enable verbose output. Without this switch set, minimal output from the execution of this script will be displayed. -h | --help Displays this help information.
We will now demonstrate a standalone snort configuration using this script with NST. It will be based upon the small business network configuration shown in Figure 6.4, “Small Business Diagram”. We will be using network interface "eth2" in stealth mode (i.e. no IP address bound to the network interface) as the probe monitor sensor interface. In this example network interface "eth2" is attached to a network "Hub" and all traffic on the "dirty side" of the Internet connection (i.e. Internet side of the firewall with respect to the small business network) will been seen. This particular NST probe is configured with 3 10/100 NICs. The "ifconfig -a" command reveals the following:
[root@probe root]#ifconfig -aeth0 Link encap:Ethernet HWaddr 00:54:BD:14:93:12 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:20437 errors:0 dropped:0 overruns:0 frame:0 TX packets:789 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2756634 (2.6 Mb) TX bytes:139064 (135.8 Kb) Interrupt:10 Base address:0x7800 eth1 Link encap:Ethernet HWaddr 00:40:05:89:E8:03 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:3 Base address:0x9c00 eth2 Link encap:Ethernet HWaddr 00:04:75:A1:EF:AB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:80106 errors:0 dropped:0 overruns:1 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:100 RX bytes:4831006 (4.6 Mb) TX bytes:60 (60.0 b) Interrupt:9 Base address:0xdc00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:30 errors:0 dropped:0 overruns:0 frame:0 TX packets:30 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10680 (10.4 Kb) TX bytes:10680 (10.4 Kb)
The script will be started by obtaining up to date remote rules from the "www.snort.org" site (this implies internet connectivity to the NST probe system). The NST probe system will be labeled with a sensor name: "FW-Dirty" and full snort details will be generated. A 128MB RAM disk will be created using the default RAM device: "/dev/ram4" at mount point: "/mnt/ram4". Since this is a standalone setup, a MySQL database engine will also be configured and started for this snort instance. Below is the command-line script execution for this IDS snort example:
[root@probe root]#/usr/local/snort/setup_snort -r remote -i eth2 -s "FW-Dirty" -a full -rds 128 -v*** Creating a 128MByte RAM disk at mount point: "/mnt/ram4".../root/bin/create_ramdisk -s 128 -d /dev/ram4 -m /mnt/ram4 -v ============================================================ = Creating a 131072KB RAM disk at mount point: /mnt/ram4... = ============================================================ *** Zeroing out RAM device: "/dev/ram4"... /bin/dd if=/dev/zero of=/dev/ram4 bs=1k count=131072 131072+0 records in 131072+0 records out *** Creating a 131072KB Linux ext2 file system on RAM device: "/dev/ram4"... /sbin/mke2fs -vm 0 /dev/ram4 131072 mke2fs 1.32 (09-Nov-2002) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 32768 inodes, 131072 blocks 0 blocks (0.00%) reserved for the super user First data block=1 16 block groups 8192 blocks per group, 8192 fragments per group 2048 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 26 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. *** Mounting RAM disk device: "/dev/ram4" at mount point: "/mnt/ram4"... /bin/mount -t ext2 /dev/ram4 /mnt/ram4 *** Show all current mounts... /bin/df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/ram 63461 31218 32243 50% / none 256892 0 256892 0% /dev/shm /dev/cdrom 493888 493888 0 100% /mnt/cdrom /dev/ram4 126931 13 126918 1% /mnt/ram4 *** Successfully created a 131072KB RAM Disk: "/dev/ram4" at mount point: "/mnt/ram4"... *** Using remote Snort rules definitions...
*** Fetching the latest Snort rule definitions from: "http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz" /usr/local/bin/wget http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz --01:39:13-- http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz => `snortrules-snapshot-2_1.tar.gz' Resolving www.snort.org... done. Connecting to www.snort.org[199.107.65.177]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 141,307 [application/x-gzip] 100%[==================================================================>] 141,307 312.21K/s ETA 00:00 01:39:15 (312.21 KB/s) - `snortrules-snapshot-2_1.tar.gz' saved [141307/141307] rules/ rules/classification.config rules/generators rules/gen-msg.map rules/reference.config rules/sid rules/sid-msg.map rules/snort.conf rules/threshold.conf rules/unicode.map rules/attack-responses.rules rules/backdoor.rules rules/bad-traffic.rules rules/cgi-bin.list rules/chat.rules rules/ddos.rules rules/deleted.rules rules/dns.rules rules/dos.rules rules/experimental.rules rules/exploit.rules rules/finger.rules rules/ftp.rules rules/icmp-info.rules rules/icmp.rules rules/imap.rules rules/info.rules rules/local.rules rules/misc.rules rules/multimedia.rules rules/mysql.rules rules/netbios.rules rules/nntp.rules rules/oracle.rules rules/other-ids.rules rules/p2p.rules rules/policy.rules rules/pop2.rules rules/pop3.rules rules/porn.rules rules/rpc.rules rules/rservices.rules rules/scan.rules rules/shellcode.rules rules/smtp.rules rules/snmp.rules rules/sql.rules rules/telnet.rules rules/tftp.rules rules/virus.rules rules/web-attacks.rules rules/web-cgi.rules rules/web-client.rules rules/web-coldfusion.rules rules/web-frontpage.rules rules/web-iis.rules rules/web-misc.rules rules/web-php.rules rules/x11.rules *** Setup the MySQL Server...
/root/bin/setup_mysql -rd /dev/ram4 -rds 128 -rmp /mnt/ram4 -v *** Creating a 128MByte RAM disk at mount point: "/mnt/ram4"... /root/bin/create_ramdisk -s 128 -d /dev/ram4 -m /mnt/ram4 -v *** Mount point: "/mnt/ram4" is already in use, script: "create_ramdisk" is exiting normally... *** (mount): /dev/ram4 on /mnt/ram4 type ext2 (rw) *** (df -k): Filesystem 1K-blocks Used Available Use% Mounted on /dev/ram 63461 31477 31984 50% / none 256892 0 256892 0% /dev/shm /dev/cdrom 493888 493888 0 100% /mnt/cdrom /dev/ram4 126931 1335 125596 2% /mnt/ram4 *** Creating a new MySQL database file structure at: "/mnt/ram4/var/lib/mysql"... *** Starting up the MySQL database server... Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] *** Assigning a password for database user: "root"... *** Successfully started up a MySQL database server... *** List MySQL Database Directory... /mnt/ram4/var/lib: total 3 drwxr-xr-x 3 root root 1024 Jun 22 01:39 . drwxr-xr-x 3 root root 1024 Jun 22 01:39 .. drwxr-xr-x 4 mysql mysql 1024 Jun 22 01:39 mysql /mnt/ram4/var/lib/mysql: total 4 drwxr-xr-x 4 mysql mysql 1024 Jun 22 01:39 . drwxr-xr-x 3 root root 1024 Jun 22 01:39 .. drwx------ 2 mysql mysql 1024 Jun 22 01:39 mysql srwxrwxrwx 1 mysql mysql 0 Jun 22 01:39 mysql.sock drwx------ 2 mysql mysql 1024 Jun 22 01:39 test /mnt/ram4/var/lib/mysql/mysql: total 67 drwx------ 2 mysql mysql 1024 Jun 22 01:39 . drwxr-xr-x 4 mysql mysql 1024 Jun 22 01:39 .. -rw-rw---- 1 mysql mysql 8778 Jun 22 01:39 columns_priv.frm -rw-rw---- 1 mysql mysql 0 Jun 22 01:39 columns_priv.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 01:39 columns_priv.MYI -rw-rw---- 1 mysql mysql 8982 Jun 22 01:39 db.frm -rw-rw---- 1 mysql mysql 302 Jun 22 01:39 db.MYD -rw-rw---- 1 mysql mysql 3072 Jun 22 01:39 db.MYI -rw-rw---- 1 mysql mysql 8641 Jun 22 01:39 func.frm -rw-rw---- 1 mysql mysql 0 Jun 22 01:39 func.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 01:39 func.MYI -rw-rw---- 1 mysql mysql 8958 Jun 22 01:39 host.frm -rw-rw---- 1 mysql mysql 0 Jun 22 01:39 host.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 01:39 host.MYI -rw-rw---- 1 mysql mysql 8877 Jun 22 01:39 tables_priv.frm -rw-rw---- 1 mysql mysql 0 Jun 22 01:39 tables_priv.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 01:39 tables_priv.MYI -rw-rw---- 1 mysql mysql 9148 Jun 22 01:39 user.frm -rw-rw---- 1 mysql mysql 428 Jun 22 01:39 user.MYD -rw-rw---- 1 mysql mysql 2048 Jun 22 01:39 user.MYI /mnt/ram4/var/lib/mysql/test: total 2 drwx------ 2 mysql mysql 1024 Jun 22 01:39 . drwxr-xr-x 4 mysql mysql 1024 Jun 22 01:39 .. *** List MySQL Processes... root 2826 2825 1 01:39 ttyp0 00:00:00 /bin/bash /root/bin/setup_mysql -rd /dev/ram4 -rds 128 -rmp /mnt/ram4 -v root 2908 1 0 01:39 ttyp0 00:00:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf mysql 2930 2908 0 01:39 ttyp0 00:00:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/mnt/ram4/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking *** Try to initialize the Snort MySQL databases... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 4 sec Threads: 1 Questions: 7 Slow queries: 0 Opens: 7 Flush tables: 1 Open tables: 1 Queries per second avg: 1.750 -------------- -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort_archive Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 4 sec Threads: 1 Questions: 13 Slow queries: 0 Opens: 8 Flush tables: 1 Open tables: 2 Queries per second avg: 3.250 -------------- *** Initialize the base Snort MySQL database tables... /usr/local/bin/mysql -u snort -p****** snort < /usr/local/snort/contrib/create_mysql *** Create the extra Snort MySQL database tables and entries... /bin/zcat /usr/local/snort/contrib/snortdb-extra.gz | /usr/local/bin/mysql -u snort -p****** snort *** Initialize the Snort archive database tables... /usr/local/bin/mysql -u snort -p****** snort_archive < /usr/local/snort/contrib/create_mysql *** Test for proper MySQL database setup for Snort...
List Snort database status and service entries: (ports: between 20 and 30)... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 17 sec Threads: 1 Questions: 131657 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 7744.529 -------------- port protocol name description 21 6 ftp File Transfer [Control] 21 17 ftp File Transfer [Control] 22 6 - Unassigned 22 17 - Unassigned 23 6 telnet Telnet 23 17 telnet Telnet 24 6 - Unassigned 24 17 - Unassigned 25 6 smtp Simple Mail Transfer 25 17 smtp Simple Mail Transfer 26 6 - Unassigned 26 17 - Unassigned 27 6 nsw-fe NSW User System FE 27 17 nsw-fe NSW User System FE 28 6 - Unassigned 28 17 - Unassigned 29 6 msg-icp MSG ICP 29 17 msg-icp MSG ICP -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort_archive Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 17 sec Threads: 1 Questions: 131660 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 7744.706 -------------- Tables_in_snort_archive data detail encoding event icmphdr iphdr opt reference reference_system schema sensor sig_class sig_reference signature tcphdr udphdr *** Setting up "ACID" for Snort...
/bin/tar -xzf /usr/local/snort/snort-utils/ACID/acid-0.9.6b23.tar.gz *** Setting up: "ADODB" for Snort...
/bin/tar -xzf /usr/local/snort/snort-utils/ADODB/adodb410.tgz *** Setting up: "JPGRAPH" for Snort...
/bin/tar -xzf /usr/local/snort/snort-utils/JPGRAPH/jpgraph-1.13.tar.gz *** Editing ACID config file: "acid_conf.php"... *** Snort config files: "/etc/snort_eth2"... total 262 drwxr-xr-x 2 root root 1024 Jun 22 01:39 . drwxr-xr-x 45 root root 3072 Jun 22 01:39 .. -rw-r--r-- 1 root root 3521 Jun 21 13:15 classification.config -rw-r--r-- 1 root root 1622 Jun 21 13:15 generators -rw-r--r-- 1 root root 6799 Jun 21 13:15 gen-msg.map -rw-r--r-- 1 root root 608 Jun 21 13:15 reference.config -rw-rw-r-- 1 root root 59 Jun 21 13:15 sid -rw-rw-r-- 1 root root 167674 Jun 21 13:15 sid-msg.map -rw-rw-r-- 1 root root 22834 Jun 22 01:39 snort.conf -rw-r--r-- 1 root root 53841 Jun 21 13:15 unicode.map *** Setup Snort complete... ... A SNORT CONFIGURATION INSTANCE FOR INTERFACE: eth2 ...
************************************************************** ************************************************************** *** Snort Version: 2.1.3-1 *** Snort MySQL Version: 2.1.3-1 *** Snort Utility ACID Version: 0.9.6b23 *** Snort Utility ADODB Version: 410 *** Snort Utility JPGraph Version: 1.13 *** Snort Execution Directory: /mnt/ram4/snort *** Snort Configuration File: /etc/snort_eth2/snort.conf *** Snort Rules Directory: /mnt/ram4/snort/rules *** MySQL Database Hostname: localhost *** MySQL Database Port: 3306 *** Snort IDS Interface: eth2 *** Snort IDS Sensor Name: FW-Dirty *** Snort Alert Event Logging Mode: full ************************************************************** ************************************************************** ---- To run Snort on interface: eth2 ---- # cd /mnt/ram4/snort # ifconfig eth2 up # ./snort -c /etc/snort_eth2/snort.conf &
Each step in the setup process for the NST snort implementation is described in the above caption. One can see the following:
Creation of a 128MB RAM disk for snort data files, MySQL database directory structure, and ACID related data files. | |
Remote rule set download from "http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz". | |
Creation of a MySQL database instance for logging snort security incident alerts, events, extra tables, and archiving database. | |
Analysis Console for Intrusion Databases (ACID) setup. | |
snort utility Active Data Objects Data Base (ADODB) setup. | |
Object-Oriented (OO) graphics class library JPGRAPH setup. | |
A summary section with commands to execute for running the configured snort setup. |
In the next caption we will show the results of starting up a snort instance on network interface "eth2". The following commands to start snort are shown below:
[root@probe root]#cd /mnt/ram4/snort[root@probe snort]#ifconfig eth2 up[root@probe snort]#./snort -c /etc/snort_eth2/snort.conf &[1] 3033 [root@probe snort]# Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_eth2/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Found logdir config directive (/mnt/ram4/snort/logs) Initializing Network Interface eth2 OpenPcap() device eth2 network lookup: eth2: no IPv4 address assigned ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_eth2/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: port = 3306 database: sensor name = FW-Dirty database: detail level = full database: sensor id = 1 database: schema version = 106 database: using the "alert" facility 1746 Snort rules read... 1746 Option Chains linked into 166 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 +-----------------------[suppression]------------------------------------------ ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.3 (Build 27) By Martin Roesch (roesch@sourcefire.com, www.snort.org)
As this point snort is up and running on stealth network interface "eth2". One needs to proceed to the section called “Examining Snort Results” and use ACID for monitoring any network intrusion traffic activity.
In this example we will setup and configure a backend MySQL database that is snort ready. A federation of remote IDS snort probes strategically placed throughout an enterprise network computing environment as shown in Figure 6.5, “Network Enterprise Diagram” can then forward any detected security incidents to this database engine. Typically the positioning of an IDS snort probe will be at the ingress/egress interface point for a particular security zone. The setup_snort script will be run with the "collector" mode option enabled for initializing the backend MySQL database.
The backend MySQL database will be running on NST probe: 10.222.222.101. This particular NST system has a locally attached disk drive formatted with a Linux Ext3 file system. The runtime MySQL database file structure will be located on this disk at mount point: "/mnt/ext3/mysql". The "collector" configuration is now shown with the following options to the setup_snort script. In this case no prior MySQL setup occurred. This is the initial setup.
[root@probe snort]#/usr/local/snort/setup_snort -c -rdir /mnt/ext3/mysql -v*** Setup the MySQL Server... /root/bin/setup_mysql -rdir /mnt/ext3/mysql -v *** Creating a new MySQL database file structure at: "/mnt/ext3/mysql/var/lib/mysql"... *** Starting up the MySQL database server... Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] *** Assigning a password for database user: "root"... *** Successfully started up a MySQL database server... *** List MySQL Database Directory... /mnt/ext3/mysql/var/lib: total 12 drwxr-xr-x 3 root root 4096 Jun 22 21:24 . drwxr-xr-x 3 root root 4096 Jun 22 21:24 .. drwxr-xr-x 4 mysql mysql 4096 Jun 22 21:24 mysql /mnt/ext3/mysql/var/lib/mysql: total 16 drwxr-xr-x 4 mysql mysql 4096 Jun 22 21:24 . drwxr-xr-x 3 root root 4096 Jun 22 21:24 .. drwx------ 2 mysql mysql 4096 Jun 22 21:24 mysql srwxrwxrwx 1 mysql mysql 0 Jun 22 21:24 mysql.sock drwx------ 2 mysql mysql 4096 Jun 22 21:24 test /mnt/ext3/mysql/var/lib/mysql/mysql: total 112 drwx------ 2 mysql mysql 4096 Jun 22 21:24 . drwxr-xr-x 4 mysql mysql 4096 Jun 22 21:24 .. -rw-rw---- 1 mysql mysql 8778 Jun 22 21:24 columns_priv.frm -rw-rw---- 1 mysql mysql 0 Jun 22 21:24 columns_priv.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 21:24 columns_priv.MYI -rw-rw---- 1 mysql mysql 8982 Jun 22 21:24 db.frm -rw-rw---- 1 mysql mysql 302 Jun 22 21:24 db.MYD -rw-rw---- 1 mysql mysql 3072 Jun 22 21:24 db.MYI -rw-rw---- 1 mysql mysql 8641 Jun 22 21:24 func.frm -rw-rw---- 1 mysql mysql 0 Jun 22 21:24 func.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 21:24 func.MYI -rw-rw---- 1 mysql mysql 8958 Jun 22 21:24 host.frm -rw-rw---- 1 mysql mysql 0 Jun 22 21:24 host.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 21:24 host.MYI -rw-rw---- 1 mysql mysql 8877 Jun 22 21:24 tables_priv.frm -rw-rw---- 1 mysql mysql 0 Jun 22 21:24 tables_priv.MYD -rw-rw---- 1 mysql mysql 1024 Jun 22 21:24 tables_priv.MYI -rw-rw---- 1 mysql mysql 9148 Jun 22 21:24 user.frm -rw-rw---- 1 mysql mysql 428 Jun 22 21:24 user.MYD -rw-rw---- 1 mysql mysql 2048 Jun 22 21:24 user.MYI /mnt/ext3/mysql/var/lib/mysql/test: total 8 drwx------ 2 mysql mysql 4096 Jun 22 21:24 . drwxr-xr-x 4 mysql mysql 4096 Jun 22 21:24 .. *** List MySQL Processes... root 1330 697 1 21:24 ttyp0 00:00:00 /bin/bash ./setup_snort -c -rdir /mnt/ext3/mysql -v root 1339 1338 2 21:24 ttyp0 00:00:00 /bin/bash /root/bin/setup_mysql -rdir /mnt/ext3/mysql -v root 1402 1 1 21:24 ttyp0 00:00:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf mysql 1428 1402 1 21:24 ttyp0 00:00:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/mnt/ext3/mysql/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking *** Try to initialize the Snort MySQL databases... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 5 sec Threads: 1 Questions: 7 Slow queries: 0 Opens: 7 Flush tables: 1 Open tables: 1 Queries per second avg: 1.400 -------------- -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort_archive Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 5 sec Threads: 1 Questions: 13 Slow queries: 0 Opens: 8 Flush tables: 1 Open tables: 2 Queries per second avg: 2.600 -------------- *** Initialize the base Snort MySQL database tables... /usr/local/bin/mysql -u snort -p****** snort < /usr/local/snort/contrib/create_mysql *** Create the extra Snort MySQL database tables and entries... /bin/zcat /usr/local/snort/contrib/snortdb-extra.gz | /usr/local/bin/mysql -u snort -p****** snort *** Initialize the Snort archive database tables... /usr/local/bin/mysql -u snort -p****** snort_archive < /usr/local/snort/contrib/create_mysql *** Test for proper MySQL database setup for Snort... List Snort database status and service entries: (ports: between 20 and 30)... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 58 sec Threads: 1 Questions: 131657 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 2269.948 -------------- port protocol name description 21 6 ftp File Transfer [Control] 21 17 ftp File Transfer [Control] 22 6 - Unassigned 22 17 - Unassigned 23 6 telnet Telnet 23 17 telnet Telnet 24 6 - Unassigned 24 17 - Unassigned 25 6 smtp Simple Mail Transfer 25 17 smtp Simple Mail Transfer 26 6 - Unassigned 26 17 - Unassigned 27 6 nsw-fe NSW User System FE 27 17 nsw-fe NSW User System FE 28 6 - Unassigned 28 17 - Unassigned 29 6 msg-icp MSG ICP 29 17 msg-icp MSG ICP -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort_archive Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 58 sec Threads: 1 Questions: 131660 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 2270.000 -------------- Tables_in_snort_archive data detail encoding event icmphdr iphdr opt reference reference_system schema sensor sig_class sig_reference signature tcphdr udphdr *** Setting up "ACID" for Snort... /bin/tar -xzf /usr/local/snort/snort-utils/ACID/acid-0.9.6b23.tar.gz *** Setting up: "ADODB" for Snort... /bin/tar -xzf /usr/local/snort/snort-utils/ADODB/adodb410.tgz *** Setting up: "JPGRAPH" for Snort... /bin/tar -xzf /usr/local/snort/snort-utils/JPGRAPH/jpgraph-1.13.tar.gz *** Editing ACID config file: "acid_conf.php"... **************************************************** **************************************************** *** A MySQL database is running on this probe at *** IP:Port: 10.222.222.101:3306 for the collection *** of remote Snort security incidents. **************************************************** ****************************************************
Another setup example is shown where a prior
MySQL instance existed and was configured for
snort. The -rdir DIR option will be
used to attach to the existing MySQL file structure at
directory location:
/mnt/ext3/mysql.
[root@probe root]#fdisk -l[root@probe root]#mount -t ext3 /dev/hdc1 /mnt/ext3[root@probe root]#df[root@probe root]#ls -al /mnt/ext3[root@probe root]#cd /usr/local/snort[root@probe snort]#./setup_snort -c -rdir /mnt/ext3/mysql -v
List the partition table found in the Kernel proc
file: | |
Mount the Linux Ext3 file system found on partition:
| |
Display all mounted file systems with command: df. | |
Display a long directory listing at the mount point:
| |
Setup the Snort "Collector" using
the exiting MySQL at directory location:
|
At this point a backend MySQL snort database collector is configured, running, and waiting for remote snort security incidents. The collector mode also configures ACID to be used with this snort database.
Note
The collector mode does not setup the NST probe as a IDS snort sensor. The "IP address:port" for the MySQL listening TCP/IP connection in this example is: 10.222.222.101:3306.
We will now setup a remote snort IDS probe: 10.222.222.110 and log all security incidents detected on stealth interface: "eth1" to the backend MySQL snort database collector at: 10.222.222.101:3306. Interface "eth1" is monitoring all traffic entering and leaving: Security Zone: 1 DMZ NST "probe 2".
[root@probe snort]#/usr/local/snort/setup_snort -r remote -i eth1 -d 10.222.222.101 -s DMZ -a full -v*** Creating a 64MByte RAM disk at mount point: "/mnt/ram4"... /root/bin/create_ramdisk -s 64 -d /dev/ram4 -m /mnt/ram4 -v ============================================================ = Creating a 65536KB RAM disk at mount point: /mnt/ram4... = ============================================================ *** Zeroing out RAM device: "/dev/ram4"... /bin/dd if=/dev/zero of=/dev/ram4 bs=1k count=65536 65536+0 records in 65536+0 records out *** Creating a 65536KB Linux ext2 file system on RAM device: "/dev/ram4"... /sbin/mke2fs -vm 0 /dev/ram4 65536 mke2fs 1.32 (09-Nov-2002) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 16384 inodes, 65536 blocks 0 blocks (0.00%) reserved for the super user First data block=1 8 block groups 8192 blocks per group, 8192 fragments per group 2048 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 23 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. *** Mounting RAM disk device: "/dev/ram4" at mount point: "/mnt/ram4"... /bin/mount -t ext2 /dev/ram4 /mnt/ram4 *** Show all current mounts... /bin/df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/ram 63461 31255 32206 50% / none 256892 0 256892 0% /dev/shm /dev/cdrom 494048 494048 0 100% /mnt/cdrom /dev/ram4 63461 13 63448 1% /mnt/ram4 *** Successfully created a 65536KB RAM Disk: "/dev/ram4" at mount point: "/mnt/ram4"... *** Using remote Snort rules definitions... *** Fetching the latest Snort rule definitions from: "http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz" /usr/local/bin/wget http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz --18:13:00-- http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz => `snortrules-snapshot-2_1.tar.gz' Resolving www.snort.org... done. Connecting to www.snort.org[199.107.65.177]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 141,308 [application/x-gzip] 100%[==================================================================>] 141,308 337.40K/s ETA 00:00 18:13:00 (337.40 KB/s) - `snortrules-snapshot-2_1.tar.gz' saved [141308/141308] rules/ rules/classification.config rules/generators rules/gen-msg.map rules/reference.config rules/sid rules/sid-msg.map rules/snort.conf rules/threshold.conf rules/unicode.map rules/attack-responses.rules rules/backdoor.rules rules/bad-traffic.rules rules/cgi-bin.list rules/chat.rules rules/ddos.rules rules/deleted.rules rules/dns.rules rules/dos.rules rules/experimental.rules rules/exploit.rules rules/finger.rules rules/ftp.rules rules/icmp-info.rules rules/icmp.rules rules/imap.rules rules/info.rules rules/local.rules rules/misc.rules rules/multimedia.rules rules/mysql.rules rules/netbios.rules rules/nntp.rules rules/oracle.rules rules/other-ids.rules rules/p2p.rules rules/policy.rules rules/pop2.rules rules/pop3.rules rules/porn.rules rules/rpc.rules rules/rservices.rules rules/scan.rules rules/shellcode.rules rules/smtp.rules rules/snmp.rules rules/sql.rules rules/telnet.rules rules/tftp.rules rules/virus.rules rules/web-attacks.rules rules/web-cgi.rules rules/web-client.rules rules/web-coldfusion.rules rules/web-frontpage.rules rules/web-iis.rules rules/web-misc.rules rules/web-php.rules rules/x11.rules *** Snort config files: "/etc/snort_eth1"... total 262 drwxr-xr-x 2 root root 1024 Jun 24 18:13 . drwxr-xr-x 44 root root 3072 Jun 24 18:13 .. -rw-r--r-- 1 root root 3521 Jun 24 05:15 classification.config -rw-r--r-- 1 root root 1622 Jun 24 05:15 generators -rw-r--r-- 1 root root 6799 Jun 24 05:15 gen-msg.map -rw-r--r-- 1 root root 608 Jun 24 05:15 reference.config -rw-rw-r-- 1 root root 59 Jun 24 05:15 sid -rw-rw-r-- 1 root root 167674 Jun 24 05:15 sid-msg.map -rw-rw-r-- 1 root root 22834 Jun 24 18:13 snort.conf -rw-r--r-- 1 root root 53841 Jun 24 05:15 unicode.map *** Setup Snort complete... ... A SNORT CONFIGURATION INSTANCE FOR INTERFACE: eth1 ... ************************************************************** ************************************************************** *** Snort Version: 2.1.3-1 *** Snort Execution Directory: /mnt/ram4/snort *** Snort Configuration File: /etc/snort_eth1/snort.conf *** Snort Rules Directory: /mnt/ram4/snort/rules *** MySQL Database Hostname: 10.222.222.101 *** MySQL Database Port: 3306 *** Snort IDS Interface: eth1 *** Snort IDS Sensor Name: DMZ *** Snort Alert Event Logging Mode: full ************************************************************** ************************************************************** ---- To run Snort on interface: eth1 ---- # cd /mnt/ram4/snort # ifconfig eth1 up # ./snort -c /etc/snort_eth1/snort.conf &
The remote snort setup is now complete. Prior to
starting the IDS snort sensor one needs to bring up the
stealth interface: "eth1" and make any
additional snort rules set changes from the default in
configuration file:
/etc/snort_eth1/snort.conf.
Results for starting up this remote IDS snort sensor are now presented:
[root@probe snort]#cd /mnt/ram4/snort[root@probe snort]#ifconfig eth1 up[root@probe snort]#./snort -c /etc/snort_eth1/snort.conf &[1] 1335 [root@probe snort]# Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_eth1/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Found logdir config directive (/mnt/ram4/snort/logs) Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_eth1/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = 10.222.222.101