SNORT配置问题( Bad overlap_limit in frag3 config. Positive integer parameter required)
使用版本Snort2.9.2.3,配置完成测试结果如下:
|> IDScenter test console <|
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "D:Snortetcsnort.conf"
Tagged Packet Limit: 256
Log directory = D:Snortlog
rpc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777
32778 32779
alert_fragments: INACTIVE
alert_large_fragments: INACTIVE
alert_incomplete: INACTIVE
alert_multiple_requests: INACTIVE
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
ERROR: D:Snortetcsnort.conf(75) Bad overlap_limit in frag3 config. Positive
integer parameter required.
Fatal Error, Quitting..
snort.conf配置文件如下:
#--------------------------------------------------
# Snort IDScenter ruleset
# Contact: Ueli Kistler, u.kistler@engagesecurity.com
#--------------------------------------------------
# Generated using IDScenter 1.1 RC4
###################################################
# You can take the following steps to create your
# own custom configuration:
# 1) Set the network variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
###################################################
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
###################################################
# Step #1: Set the network variables:
# You must change the following variables to reflect
# your local network. The variable is currently
# setup for an RFC 1918 address space.
###################################################
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default. This preprocessor
# normalized RPC traffic in much the same way as the http_decode
# preprocessor. This plugin takes the ports numbers that RPC
# services are running on as arguments.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. This preprocessor
# uses the Back Orifice "encryption" algorithm to search for
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments. The first is "-nobrute"
# which turns off the plugin磗 brute forcing routine (brute forces
# the key space of the protocol to find BO traffic). The second
# argument that can be passed to the routine is a number to use
# as the default key when trying to decrypt the traffic. The
# default value is 31337 (just like BO). Be aware that turning on
# the brute forcing option runs the risk of impacting the overall
# performance of Snort, you磛e been warned...
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
preprocessor bo
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit
10 min_fragment_length 100 timeout 180
preprocessor stream5_global: track_tcp yes,
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
preprocessor stream5_udp: timeout 180
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default
preprocessor ftp_telnet: global inspection_type stateful
preprocessor ftp_telnet_protocol: telnet
preprocessor ftp_telnet_protocol: ftp server default
preprocessor ftp_telnet_protocol: ftp client default
preprocessor smtp: ports { 25 465 587 691 }
preprocessor ssh: server_ports { 22 }
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP,
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
preprocessor sensitive_data: alert_threshold 25
preprocessor sip: max_sessions 40000,
preprocessor imap:
preprocessor pop:
preprocessor modbus: ports { 502 }
preprocessor dnp3: ports { 20000 }
preprocessor reputation:
####################################################################
# Step #3: Configure output plugins
#
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own
# custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply. :)
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
# Max Vision <vision@whitehats.com>
# Martin Markgraf <martin@mail.du.gtn.com>
# Fyodor Yarochkin <fygrave@tigerteam.net>
# Nick Rogness <nick@rapidnet.com>
# Jim Forster <jforster@rapidnet.com>
# Scott McIntyre <scott@whoi.edu>
# Tom Vandepoel <Tom.Vandepoel@ubizen.com>
# Brian Caswell <bmc@snort.org>
# Zeno <admin@cgisecurity.com>
# Ryan Russell <ryan@securityfocus.com>
#
#=========================================
# Include all relevant rulesets here
#
# shellcode, policy, info, backdoor, and virus rulesets are
# disabled by default. These require tuning and maintance.
# Please read the included specific file for more information.
#=========================================
# Classification configuration file
include D:Snortrulesicmp00.rules
# Rule/Signature files:
#include classification.config
#include reference.config
#include $RULE_PATH/local.rules
#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/botnet-cnc.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/file-identify.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules
#include $PREPROC_RULE_PATH/preprocessor.rules
#include $PREPROC_RULE_PATH/decoder.rules
#include $PREPROC_RULE_PATH/sensitive-data.rules
#include $SO_RULE_PATH/bad-traffic.rules
#include $SO_RULE_PATH/chat.rules
#include $SO_RULE_PATH/dos.rules
#include $SO_RULE_PATH/exploit.rules
#include $SO_RULE_PATH/icmp.rules
#include $SO_RULE_PATH/imap.rules
#include $SO_RULE_PATH/misc.rules
#include $SO_RULE_PATH/multimedia.rules
#include $SO_RULE_PATH/netbios.rules
#include $SO_RULE_PATH/nntp.rules
#include $SO_RULE_PATH/p2p.rules
#include $SO_RULE_PATH/smtp.rules
#include $SO_RULE_PATH/snmp.rules
#include $SO_RULE_PATH/specific-threats.rules
#include $SO_RULE_PATH/web-activex.rules
#include $SO_RULE_PATH/web-client.rules
#include $SO_RULE_PATH/web-iis.rules
#include $SO_RULE_PATH/web-misc.rules
#include threshold.conf
#include D:Snortbinicmp00.rules
include D:Snortbinicmp00.rules
求高手指点,问题出在什么地方,多谢
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
https://github.com/jasonish/snort/blob/master/doc/README.frag3
看看这儿~