OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brian (Automail) (bmcsnort.org)
Date: Sat Feb 16 2002 - 02:30:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This is your weekly automated FAQ posting

    SNORT FAQ

    $Id: FAQ,v 1.11 2001/12/13 00:20:08 cazz Exp $

    Suggestions for enhancements of this document are
    always welcome please email them to Dragos Ruiu at
    drkyx.net

    The following people have contributed to this faq:

    Marty Roesch
    Fyodor Yarochkin
    Dragos Ruiu
    Jed Pickel
    Max Vision
    Michael Davis
    Joe McAlerney
    Joe Stewart
    Erek Adams
    Roman Danyliw
    Christopher Cramer
    Frank Knobbe
    Phil Wood
    Toby Kohlenberg
    Ramin Alidousti
    Jim Hankins
    Dennis Hollingworth
    Paul Howell
    Stef Mit
    Ofir Arkin
    Jason Haar
    Blake Frantz
    Lars Norman Søndergaard
    Brent Erickson
    Brian Caswell

    -----------------------------------------------------------------------------

    Frequently Asked Questions about "snort"

    Section 1: Snort Background
    --------------------------
    1.1 Q: How do you pronounce the names of some of these guys who work on snort?
    1.2 Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?
    1.3 Q: Where do I get more help on snort?
    1.4 Q: Where can I get more reading and courses about IDS?
    1.5 Q: Does Snort handle IP defragmentation?
    1.6 Q: Does Snort perform TCP stream reassembly?
    1.7 Q: Does Snort do stateful protocol analysis?
    1.8 Q: I'm on a switched network, can I still use Snort?
    1.9 Q: I've heard IDSes are vulnerable to noise generators like "Stick" and
           "Snot". Is snort vulnerable?
    1.10 Q: I've heard it is possible to use polymorphic mutators on shellcode?
    1.11 Q: Does Snort log the full packets that it generates alerts?

    Section 2: Getting Started
    --------------------------
    2.1 Q: How do I run snort?
    2.2 Q: Where are my log files located? What are they named?
    2.3 Q: Where's a good place to physically put a Snort sensor?
    2.4 Q: Libpcap complains about permissions problems, what's going on?
    2.5 Q: Why does snort complain about /var/log/snort?
    2.6 Q: I've got RedHat and ....
    2.7 Q: Where do I get the latest version of libpcap?
    2.8 Q: Why does building snort complain about missing references?
    2.9 Q: Why does building snort fail with errors about yylex and lex_init?
    2.10 Q: I Want to build a snort box. Will this <Insert List> handle
            <this much> traffic?
    2.11 Q: What are CIDR netmasks?
    2.12 Q: What is the use of the "-r" switch to read tcpdump files?

    Section 3: Configuring Snort
    ----------------------------
    3.1 Q: How do I setup snort on a 'stealth' interface?
    3.2 Q: How do I run snort on an interface with no IP address?
    3.3 Q: My network spans multiple subnets. How do I define HOME_NET?
    3.4 Q: How can I run snort on multiple interfaces simultaneously?
    3.5 Q: IP address is assigned dynamically to my interface, can I use snort
           with it?
    3.6 Q: I have one network card and two aliases, how can I force snort to
           "listen" on both addresses ?
    3.7 Q: How do I ignore traffic coming from a particular host or hosts?
    3.8 Q: How do I get Snort to log the packet payload as well as the header?
    3.9 Q: Why are there no subdirectories under /var/log/snort for IP addresses?
    3.10 Q: How do you get snort to ignore some traffic?
    3.11 Q: Why does the portscan plugin log "stealth" packets even though the
            host is in the portscan-ignorehosts list?
    3.12 Q: Which takes precedence, commandline or rule file ?
    3.13 Q: How does rule ordering work?
    3.14 Q: How do I configure stream4?
    3.15 Q: Where does one obtain new/modifed rules? How do you merge them in?
    3.16 Q: How do you get the latest snort via cvs?

    Section 4: Snort Rules and Alerts
    ---------------------------------
    4.1 Q: When I start snort I get errors from my rules files
    4.2 Q: Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?"
    4.3 Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully
           quiet...
    4.4 Q: I'm getting large amounts of some alerts type. What should I do? Where
           can I go to find out more about it?
    4.5 Q: What about all these false alarms?
    4.6 Q: What are all these ICMP files in subdirectories under /var/log/snort?
    4.7 Q: Why does the program generate alerts on packets that have pass rules?
    4.8 Q: What are all these "ICMP destination unreachable" alerts?
    4.9 Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
    4.10 Q: What are these IDS codes in the alert names?
    4.11 Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
    4.12 Q: What about "CGI Null Byte attacks"?
    4.13 Q: Why do certain alerts seem to have 'unknown' IPs in ACID?
    4.14 Q: Can priorities be assigned to Alerts using ACID?
    4.15 Q: What about 'SMB Name Wildcard' alerts?
    4.16 Q: What the heck is a SYNFIN scan?
    4.17 Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null
            Byte attack detected" false positives. How can I turn this detection
            off?
    4.18 Q: How do I test snort alerts and logging?

    Section 5: Getting Fancy
    ------------------------
    5.1 Q: How do I process those snort logs into HTML reports?
    5.2 Q: How do I log to multiple databases?
    5.3 Q: How can I test snort without having an ethnernet card or a connection
           to other computers?
    5.4 Q: How to start snort as a win32 service?
    5.5 Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?
    5.6 Q: Snort complains about the "react" keyword...
    5.7 Q: How do I get snort to e-mail me alerts?
    5.8 Q: How do I log a specific type of traffic and send alerts to syslog?
    5.9 Q: Is it possible to have snort call an external program when an alert
           is raised?

    Section 6: Problems
    -------------------
    6.1 Q: I think I found a bug in snort. Now what?
    6.2 Q: SMB alerts aren't working, what's wrong?
    6.3 Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?
    6.4 Q: Snort says "Ran Out Of Space". Huh?
    6.5 Q: I'm having problems getting snort to log to a database...
    6.6 Q: My ACID db connection times-out when performing long operations (e.g.
           deleting a large number of alerts)
    6.7 Q: Why does snort report "Packet loss statistics are unavailable under
           Linux"?
    6.8 Q: My /var/log/snort directory get very large...
    6.9 Q: Why does the 'error deleting alert' message occur when attempting to
           delete an alert with ACIO?
    6.10 Q: ACID appears to be broken in Lynx
    6.11 Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)'
            warnings, what's wrong.
    6.12 Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid
            argument
    6.13 Q: I am getting snort dying with 'can not create file' error and I have
            plenty of diskspace, what's wrong?
    6.14 Q: I am using Snort on Windows and receive an OpenPcap() error upon
            startup:
    6.15 Q: Snort is not logging to my database
    6.16 Q: Portscans are not being logged to my database
    6.17 Q: Snort is not logging to syslog
    6.18 Q: I am still getting bombarded with spp_portscan messages even though
            the IP that I am getting the portscan from is in my $DNS_SERVERs var
    6.19 Q: Why chrooted snort die when I send it a SIGHUP?
    6.20 Q: My snort crashes, how do I restart it?
    6.21 Q: Why can't snort see one of either the 10Mbps or 100Mbps traffic on my
            autoswitch hub

    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

    ***************************************
    Section 1: SNORT BACKGROUND
    ***************************************

    1.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do you pronounce the names of some of these guys who work on snort?

    A: For the record, 'Roesch' is pronounced like 'fresh' without the 'f'.
       Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc'. And
       Jed's last name is like "pick-el", not "pickle". :)

    1.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?

    A: Nope. fyodorinsecure.org is the author of nmap, and he uses the
       same pseudonym as other snort Fyodor's real surname. Yeah, messes up
       my mailbox too, but I think it's too late to change either of them :-).

    1.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Where do I get more help on snort?

    A: Check the website, http://www.snort.org. Other good resources are
       are available in the source distribution, including the Snort Users
       Manual (SnortUsersManual.pdf) and the USAGE file.

    1.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Where can I get more reading and courses about IDS?

    A: SANS, USENIX and Networld/Interop offer courses on Intrusion detection.

       http://www.sans.org
       http://www.usenix.org/event/
       http://www.key3media.com/interop/

       Many good books on Intrusion detection are available. Included is just
       a few:

            Network Intrusion Detection An Analyst's Handbook
            By Stephen Northcutt
            ISBN 0735708681

            TCP/IP Illustrated, Volume 1 The Protocols
            By W. Richard Stevens
            ISBN 0201633469

            Intrusion Detection
            By Rebecca G. Bace
            ISBN 1578701856
      
    1.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Does Snort handle IP defragmentation?

    A: Yes, use "preprocessor frag2" or "preprocessor defrag" or "preprocessor
       defrag2"

       Each has slightly different capabilities.

    1.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Does Snort perform TCP stream reassembly?

    A: Yes, check out the stream4 preprocessor that does stateful analysis
       session loggin, tcp reassembly and much much more... Check the FAQ question
       on configuring stream4.

    1.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Does Snort perform stateful protocol analysis?

    A: Yes, Check out SNORT FAQ #1.6

    1.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I'm on a switched network, can I still use Snort?

    A: Being able to sniff on a switched network depends on what type of
       switch is being used. If the switch can mirror traffic, then set
       the switch to mirror all traffic to the snort machine's port.

    1.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I've heard IDSes are vulnerable to noise generators like "Stick" and
       "Snot". Is snort vulnerable to these types of attacks?

    A: It is now possible to defeat these kinds of noise generators with
       the stream4 preprocessor. Even without the stream4 preprocessor
       enabled, snort will weather the alert storm without falling over
       or losing a lot of alerts due to its highly optimized nature.
       Using tools that generate huge amounts of alerts will warn a good
       analyist that someone is trying to sneak by their defenses.

    1.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I've heard it is possible to use polymorphic mutators on shellcode?

    A: Yes, and this could defeat some of the NOP sled detection signatures
       but the ordinary exploit rules should not be affected by this kind
       of obfuscation. The SPACE statistical anomaly detector may detect
       some of these attacks. A number of other defenses are being worked
       on and should be ready by 2.0.

    1.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Does Snort log the full packets that it generates alerts?

    A: Yes, the packets should be in the directory that has the same IP
       address as the source host of the packet which generated the alert.
      
    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

    ***************************************
    Section 2: GETTING STARTED
    ***************************************

    2.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I run snort?

    A: Run Snort in sniffer mode (snort -dvi eth0) and make sure it can see the
       packets. Then run it with the HOME_NET set appropriately for the network
       you're defending in your rules file. A default rules file comes with the
       snort distribution and is called "snort.conf" You can run this basic ruleset
       with the following command line:
      
       snort -A full -c snort.conf

       If it's all set right, once it's running do an "ifconfig -a" and make sure
       the interface is in promiscuous mode (it'll say so in the options section of
       the printout). If it's not, there should be a way to set it manually.
      
    2.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Where are my log files located? What are they named?

    A: The default location for logs is /var/log/snort. If snort is started
       with "-l <directory>", then the logs will be located in the directory
       specified.

       In the past, running Snort in daemon mode (-D) produced a file named
       "snort.alert". For consistency sake, this has been changed. Running
       Snort in both standard or daemon modes (-D) will produce a file named
       "alert".

    2.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Where's a good place to physically put a Snort sensor?

    A: This is going to be heavily influenced by your organizations policy, and
        what you want to detect. One way of looking at it is determining if you
        want to place it inside or outside your firewall. Placing an IDS outside
        of your firewall will allow you monitor all attacks directed at your
        network, regardless of whether or not they are stopped at the firewall.
        This almost certainly means that the IDS will pick up on more events
        than an IDS inside the firewall, and hence more logs will be generated.
        Place an IDS inside your firewall if you are only interested in monitoring
        traffic that your firewall let pass. If resources permit, it may be best
        to place one IDS outside and one IDS inside of your firewall. This way
        you can watch for everything directed at your network, and anything that
        made it's way in.

    2.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Libpcap complains about permissions problems, what's going on?

    A: You are not running snort as root or your kernel is not configured
       correctly.
                                                                       
    2.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why does snort complain about /var/log/snort?

    A: It requires this directory to log alerts to it.
       Use: mkdir /var/log/snort
      
       Make sure the logging directory is owned by the user snort is running
       as.

    2.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I've got RedHat and ....

    A: Check your version of libpcap. :) If it's not >= 0.5, then you should
        update.

    2.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Where do I get the latest version of libpcap?

    A: http://www.tcpdump.org/

    2.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why does building snort complain about missing references?

    A: You must make libpcap with the --install-incl option or install the
       libpcap-devel rpm.

    2.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why does building snort fail with errors about yylex and lex_init?

    A: You need the lex and yacc tools or their gnu equivalents
       flex and bison installed.

    2.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I Want to build a snort box. Will this <Insert list of hardware> handle
       <this much> traffic?

    A: That depends. ;-) Lower the number of rules is a standard performance
       increase. Disable rules that you don't need or care about. There have
       been many discussions on 'tweaking performance' with lots of 'I handle
       XX mb with a ___ machine setup.' being said. Look at some of the
       discussions on snort-users

    2.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What are CIDR netmasks?

    A: (Excerpt from url: http://public.pacbell.net/dedicated/cidr.html)

    CIDR is a new addressing scheme for the Internet which allows for more i
    efficient allocation of IP addresses than the old Class A, B, and C address
    scheme.

    CIDR Block Prefix # Equivalent Class C # of Host Addresses
    /27 1/8th of a Class C 32 hosts
    /26 1/4th of a Class C 64 hosts
    /25 1/2 of a Class C 128 hosts
    /24 1 Class C 256 hosts
    /23 2 Class C 512 hosts
    /22 4 Class C 1,024 hosts
    /21 8 Class C 2,048 hosts
    /20 16 Class C 4,096 hosts
    /19 32 Class C 8,192 hosts
    /18 64 Class C 16,384 hosts
    /17 128 Class C 32,768 hosts
    /16 256 Class C 65,536 hosts (= 1 Class B)
    /15 512 Class C 131,072 hosts
    /14 1,024 Class C 262,144 hosts
    /13 2,048 Class C 524,288 hosts

    For more detailed technical information on CIDR, go to
    http://www.rfc-editor.org/rfcsearch.html and type in the number of the
    CIDR RFC you are interested in:

    RFC 1517: Applicability Statement for the Implementation of CIDR
    RFC 1518: An Architecture for IP Address Allocation with CIDR
    RFC 1519: CIDR: An Address Assignment and Aggregation Strategy
    RFC 1520: Exchanging Routing Information Across Provider Boundaries in the
              CIDR Environment

    2.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What is the use of the "-r" switch to read tcpdump files?

    A: Used in conjunction with a snort rules file, the tcpdump data can be
       analyzed for hostile content, port scans, or anything else Snort can be
       used to detect. Snort can also display the packets in a decoded format,
       which many people find is easier to read than native tcpdump output.

    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

    ***************************************
    Section 3: CONFIGURING SNORT
    ***************************************

    3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I setup snort on a 'stealth' interface?

    A: Bring up the interface without an IP address on it. See FAQ 3.2...
       http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
    A: Use an ethernet tap, or build your own 'receive-only' ethernet cable.
       http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm
    A: Anyway, here is the cable I use:

        LAN Sniffer
        1 -----\ /-- 1
        2 ---\ | \-- 2
        3 ---+-*------ 3
        4 - | - 4
        5 - | - 5
        6 ---*-------- 6
        7 - - 7
        8 - - 8
        
       Basically, 1 and 2 on the sniffer side are connected, 3 and 6
       straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
       6 respectively. This fakes a link on both ends but only allows
       traffic from the LAN to the sniffer. It also causes the 'incoming'
       traffic to be sent back to the LAN, so this cable only works well on
       a hub. You can use it on a switch but you will get ...err...
       interesting results. Since the switch receives the packets back in on
       the port it sent them out, the MAC table gets confused and after a
       short while devices start to drop off the switch. Works like a charm
       on a hub though.

    3.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I run snort on an interface with no IP address?

    A: ifconfig eth1 up

    3.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: My network spans multiple subnets. How do I define HOME_NET?

    A: Snort 1.7 supports IP lists. You can assign a number of addresses to
       a single variable. For example:

         var HOME_NET [10.1.1.0/24,192.168.1.0/24]

       NOTE: Not all preprocessors support IP lists at this time. Unless
       otherwise stated, assume that any preprocessor using an IP list variable
       will use the first value as the HOME_NET. The portscan preprocessor
       is an example. To catch all detectable portscans, pass 0.0.0.0/0 in
       as the first parameter.

       preprocessor portscan: 0.0.0.0/0 5 3 portscan.log

       Use the portscan-ignorhosts preprocessor to fine tune and ignore
       traffic from noisy, trusted machines.

    3.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How can I run snort on multiple interfaces simultaneously.

    A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)
       the only way is to run multiple instances of snort, one instance per
       interface (with the -i option specifying the interface). However for
       linux 2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's
       patch which allows you to specify 'any' as interface name. In this case
       snort will be able to process traffic coming to all interfaces.

    3.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: IP address is assigned dynamically to my interface, can I use snort with it?

    A: Yes. With snort 1.7 and later, <interface>_ADDRESS variable is available.
       The value of this variable will be always set to IP address/Netmask of the
       interface which you run snort at. if interface goes down and up again (and
       an IP address is reassigned) you will have to restart snort. For earlier
       versions of snort numerous scripts to achieve the same result are
       available.

    3.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I have one network card and two aliases, how can I force snort to "listen"
       on both addresses ?

    A: If you're using at least version 1.7, you can specify an IP list like
       this:

            var HOME_NET [192.168.<your-IP>/24,<Internet address>/32]

       If you're using something older (version 1.6.3-patch2 or whatever) you can
       re-specify the HOME_NET variable multiple times like this (for example):

            var HOME_NET 10.1.1.0/24

            include scan-lib
            etc.

            var HOME_NET 192.168.1.0/24

            include scan-lib
            etc.

    3.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I ignore traffic coming from a particular host or hosts?

    A: Write pass rules and add the host(s) to the portscan-ignorehosts list.
       Call Snort with the -o option to activate the pass rules.
       See http://www.snort.org/writing_snort_rules.htm for more information.

    A: Use bpf on the commandline to ignore a host (for example):

           $ snort <commandline options> not host 192.168.0.1

    3.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I get Snort to log the packet payload as well as the header?

    A: Use the "-d" command line option.

    3.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why are there no subdirectories under /var/log/snort for IP addresses?

    A: It depends on how your snort configuration logs. If it logs in binary
       format, you'll have to process the binary log in order to get cleartext

    3.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do you get snort to ignore some traffic?

    A1: Specify bpf filters on the command line the tcpdump man page
        has a description of bpf filters.
    A2: Use a pass rule
    A3: The portscan preprocessor has it's own special exclusion list
        with the portscan-ignorehosts.rules file directive

    3.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why does the portscan plugin log "stealth" packets even though the
       host is in the portscan-ignorehosts list?

    A: These types of tcp packets are inherently suspicious, no matter where
       they are coming from. The portscan detector was built with the assumption
       that "stealth" packets should be reported, even from hosts which are not
       monitored for portscanning. An option to ignore "stealth" packets may be
       added in the future.

    3.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Which takes precedence, commandline or rule file ?

    A: The command line always gets precedence over the rules file. If people
       want to try stuff out quickly without having to manually edit the rules
       file, they should be able to override many things from the command
       line.

    3.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How does rule ordering work?

    A: Marty has answered this many times on the snort-users mailing list. Here is
       an excerpt from a post on Thu, 22 Feb 2001 00:31:53 -0500, titled "Re:
       [Snort-users] order of evaluation of rules"

    Currently, the data structures that store Snort rule data are the
    RuleTreeNodes (RTN) and the OptTreeNodes (OTN). These data structs are
    stored in a two dimensinal linked list structure with the RTNs forming
    the top row of the "Array" and the OTNs forming the columns under the
    RTNs. Here's an ASCII illustration from the infamous "lisapaper":

      RTN RTN RTN
      -------------- -------------- -----
     | Chain Header | | Chain Header | | Chai
     | | | | |
     | Src IP | | Src IP | | Src
     | Dst IP |----->| Dst IP |----->| Dst .....
     | Src Port | | Src Port | | Src
     | Dst Port | | Dst Port | | Dst
     | | | | |
      -------------- -------------- -----
             | |
             | |
             | |
      OTN \|/ OTN \|/
      -------V------ --------V-------
     | Chain Option | | Chain Option |
     | | | : |
     | Content | :
     | TCP Flags | :
     | ICMP Data |
     | Payload Size |
     | etc. |
     | |
      ---------------
             |
             |
             |
       OTN \|/
      -------V------
     | Chain Option |
     | |
     | Content |
     | TCP Flags |
     | ICMP data |
     | Payload Size |
     | etc. |
     | |
      --------------
             |
             |
     
    Rules with similar rule headers (i.e. all the CGI rules, the old stealth
    port scan detection rules, most of the rules that focus on any single
    service, etc) are grouped under a single RTN for the sake of efficiency
    and the applicable OTNs are hung below them. For instance, if you have
    three rules like this:

    alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)
    alert tcp any any -> $HOME 80 (content: "bar"; msg: "bar";)
    alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)

    They all get grouped under the same RTN and the OTNs are "hung" beneath
    them like this:

      RTN
     --------------------
    | SIP: any |
    | SP: any |
    | DIP: $HOME |
    | DP: 80 |
     --------------------
              |
              |
      OTN \|/
     ---------v----------
    | content: foo |
    | msg: foo |
     ---------------------
              |
              |
      OTN \|/
     ---------v----------
    | content: bar |
    | msg: bar |
     ---------------------
              |
              |
      OTN \|/
     ---------v----------
    | content: baz |
    | msg: baz |
     ---------------------

    This is an efficient way to do things because we only need to check the
    data in the RTN once with this method. There is actually another
    dimension to this array: the function pointer list. Each node in the
    "array" has a linked list of function pointers attached to it. The
    functions in this list are the tests that need to be done to determine
    whether the data in the current packet matches the current rule node's
    information. Having this function pointer list gives us great
    efficiency and flexibility: we don't need to perform tests for things
    the current rule doesn't contain (e.g. "any" ports/IPs, packet content
    on non-content rules, etc). It also allows us to analyze the packet
    with any function without having to make major modifications to the
    whole program (which was the case in versions prior to version 1.5).

    There are a couple of implications of this architecture. For the sake
    of this discussion on rules ordering, the one we're interested in is
    that rule order is tricky to figure out. For instance

    alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)
    alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";)
    alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 SYN!";)
    alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)

    gets built like this:

      RTN RTN
     -------------------- --------------------
    | SIP: any | | SIP: any |
    | SP: any |-------->| SP: any |
    | DIP: $HOME | | DIP: $HOME |
    | DP: 80 | | DP: 1-1024 |
     -------------------- --------------------
              | |
              | |
      OTN \|/ \|/
     ---------v---------- ---------v----------
    | content: foo | | flags: S |
    | msg: foo | | msg: example |
     -------------------- --------------------
              |
              |
      OTN \|/
     ---------v----------
    | flags: S |
    | msg: Port 80 SYN! |
     --------------------
              |
              |
      OTN \|/
     ---------v----------
    | content: baz |
    | msg: baz |
     --------------------

    Note that all three of the port 80 rules will be checked before the
    "1:1024" rule due to the order in which the applicable RTN has been
    created. This is because the rules parser builds the first chain header
    for port 80 traffic and sticks it on the rules list, then on the next
    rule it sees that a new chain header is required, so it gets built and
    put in place. In this case you would intuitively expect to get the
    "example" message and never see the "Port 80 SYN!", but the opposite is
    true.

    3.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I configure stream4?

    A: Stream4 is an entirely new preprocessor that preforms two functions:

       1) Stateful inspection of TCP sessions
       2) TCP stream reassembly

       I implemented stream4 out of the desire to have more robust stream
       reassembly capabilities and the desire to defeat the latest "stateless
       attacks" that have been coming out against Snort (c.f. stick and snot).
       Stream4 is written with the intent to let Snort be able to handle
       performing stream reassembly for "enterprise class" users, people who
       need to track and reassemble more than 256 streams simultaneously. I've
       optimized the code fairly extensively to be robust, stable, and fast.
       The testing and calculations I've performed lead me to be fairly
       confident that stream4 can provide full stream reassembly for several
       thousand simultaneous connections and stateful inspection for upwards of
       64,000 simultaneous sessions.
       
       Stream4 is a large and complex piece of code (almost 2000 lines) and
       there are a lot of options associated with its runtime configuration, so
       I'll go over them here.
       
       preprocessor stream4: [noinspect], [keepstats], [timeout <seconds>],
       [memcap <btream4_reassemble defaults:
       Reassemble client: ACTIVE
       Reassemble server: INACTIVE
       Reassemble ports: 21 23 25 53 80 143 110 111 513
       Reassembly alerts: ACTIVE
       
       There is a new command line switch that is used in concert with the
       stream4 code, "-z". The -z switch can take one of two arguments: "est"
       and "all". The "all" argument is the default if you don't specify
       anything and tells Snort to alert normally. If the -z switch is
       specified with the "est" argument, Snort will only alert (for TCP
       traffic) on streams that have been established via a three way handshake
       or streams where cooperative bidirectional activity has been observed
       (i.e. where some traffic went one way and something other than a RST or
       FIN was seen going back to the originator). With "-z est" turned on,
       Snort completely ignores TCP-based stick/snot "attacks".
       
    3.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Where does one obtain new/modifed rules? How do you merge them in?

    A: New rules can be downloaded via CVS (See 3.16) or alternatively may be
       found at www.snort.org. There is a mailing list dedicated to snort rules,
       called snort-sigs hosted at sourceforge.

       To merge in new rules check out the snortpp program in the snort/contrib
       directory.

    3.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do you get the latest snort via cvs?

    A: The Snort project's SourceForge CVS repository can be checked out
       through anonymous (pserver) CVS with the following instruction set.
       The module you wish to check out must be specified as the modulename.r
       When prompted for a password for anonymous, simply press the Enter key.

    cvs -d:pserver:anonymouscvs.snort.sourceforge.net:/cvsroot/snort login

    cvs -z3 -d:pserver:anonymouscvs.snort.sourceforge.net:/cvsroot/snort co snort

       Updates from within the module's directory do not need the -d parameter.

    ***************************************
    Section 4: RULES AND ALERTS
    ***************************************

    4.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: When I start snort I get errors from my rules files:
       
       Some common ones:

           ERROR somefile.rules:yy => Port value missing in rule!
           ERROR somefile.rules:yy => Bad port number: "(msg:"blah"
           ERROR somefile.rules:yy => Couldn't resolve hostname blah

       What's going on?

    A: somefile.rules is the file where the syntax error occurred, and yy is the
       line number it occurred on. There are a couple of possibilities:

       a) The rule is missing a port value, has an invalid port number, or a
           bad hostname - in which case the ruleset author/maintainer should be
           notified.

       b) More often, the rule is just fine, but a variable in it was not
           declared. Open the rules file, look at the rule on the line number
           provided, and confirm that the variables it uses have been declared.
           You can read more about variables from
           http://www.snort.org/writing_snort_rules.htm#variables

    4.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?"

    A: Chuckle... Get rid of the quotes around the IP address and try again. :-)

    4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...

    A: Your firewall rules will also block traffic to the snort processes.

    4.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I'm getting large amounts of <some alerts type>. What should I do? Where
       can I go to find out more about it?

    A: Some rules are more prone to producing false positives than others.
       This often varies between networks. You first need to determine if it
       is indeed a false positive. Some rules are referenced with ID numbers.
       The following are some common identification systems, and where to go
       to find more information about a particular alert.

    System Example URL
    ---------------------------------------------------------------
    IDS IDS182 http://www.whitehats.com/IDS/182
    CVE CVE-2000-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138
    Bugtraq BugtraqID 1 http://www.securityfocus.com/vdb/bottom.html?vid=1
    McAfee Mcafee 10225 http://vil.nai.com/vil/dispVirus.asp?virus_k=10225

       It may be necessary to examine the packet payload to determine if the
       alert is a false positive. The packet payload is logged using the -d
       option. If you determine the alerts are false positives, you may want
       to write pass rules for machines that are producing a large number of them.
       If the rule is producing an unmanageable amount of false positives from
       a number of different machines, you could pass on the rule for all traffic.
       This should be used as a last resort.

    4.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What about all these false alarms?

    A: Most think that a pile of false positives is infinitely preferable. Then
       people can turn off what they don't want. The reverse, having a small rule
       set, can lure people into complacency thinking that Snort is doing "its
       thing" and there is nothing to worry about.
     
    4.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What are all these ICMP files in subdirectories under /var/log/snort?

    A: Most of them are likely destination unreachable and port unreachables that
       were detected by snort when a communications session attempt fails.

    4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why does the program generate alerts on packets that have pass rules?

    A: The default order that the rules are applied in is alerts first, then pass
       rules, then log rules. This ordering ensures that you don't write 50 great
       alert rules and then disable them all accidently with an errant pass rule.
       If you really want to change this order so that the pass rules are applied
       first, use the "-o" command line switch.

    4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What are all these "ICMP destination unreachable" alerts?

    A: ICMP is the acronym for Internet Control Message Protocol
       They are failed connections ICMP unreach packet carries first 64
       bits(8bytes) or more of the original datagrami and the original IP header.

       The ICMP Destination Unreachable (message type 3) is sent back to the
       originator when an IP packet could not be delivered to the destination
       address. The ICMP Code indicates why the packet could not be delivered.
        The original codes are:
             0 net unreachable
             1 host unreachable
             2 protocol unreachable
             3 port unreachable
             4 fragmentation needed and DF bit set
             5 source route failed

       As far as why... "it all depends..."

       ICMP Unreachable Error Messages are divided into two groups:
       - ICMP Unreachable Error Messages issued by routers (all 16 of them)
       - ICMP Unreachable Error Messages issued by a Host (only 2)

       What are the only 2 issued by a host?
       ICMP Port Unreachable - the destination port on the targeted host is
                               closed (a.k.a. not in a listening state).
       ICMP Protocol Unreachable - the protocol we were trying to use is not
                               being used on the targeted host.

       Both ICMP Type field and Code field indicates why the packets could
       not be delivered. Some snort ICMP alerts" are informational like the ICMP
       alerts found in icmp-info.rules. At this time there are no references
       or even classtypes associated with these rules.

       Other rules are more likely to be associated with untoward activity. For
       example, in icmp.rules you will find:

          alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger";
          content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158;
          classtype:attempted-recon; sid:465; rev:1;)

       which has a reference where the importance might be determined by checking
       out the aracnids reference. The classtype may indicate more or
       less the relative importance of the event.

       When a destination UDP port is closed on the targeted host, a.k.a. not
       in a listening state, the targeted host will issue an ICMP Port Unreachable
       error message back to the offending packets source IP address, given in
       the query. Some programs use these messages, like traceroute with *nix
       based machines. Windows based machines (tracert) will default to
       ICMP Echo requests...

       For further information about this see
             IP ftp://ftp.isi.edu/in-notes/rfc791.txt
             ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt
             TCP ftp://ftp.isi.edu/in-notes/rfc793.txt
             UDP ftp://ftp.isi.edu/in-notes/rfc768.txt

       and

       http://www.iana.org/assignments/icmp-parameters

       Actually, putting this URL somewhere handy is a good idea:

       http://www.iana.org/

       There is also a good ICMP paper on http://www.sys-security.com/

    4.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?

    A: One of the reasons it alerts on a PA flags is to minimize the false
       positive. You will only get an alert upon successful connections. If you
       want to see all the attempts, you either have to modify the signatures, add
       you own signatures or use your firewall logs to see if an attempt to
       specific a port occurred.

    4.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What are these IDS codes in the alert names?

    A: IDS means "Intrusion Detection Signature" and identifies a
       known attack attempt. You can learn more about a specific IDS id
       at the arachNIDS search engine on http://www.whitehats.com/.
       The "references" keyword in rules can also be a good pointer
       for further research.

    4.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?

    A: If you are dumping the data part of the packet, review it.
       These rules are known to have high false rates as most of them
       are just based on numeric port numbers.

    4.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What about "CGI Null Byte attacks"?

    A: It's a part of the http preprocessor. Basically, if the http decoding
       routine finds a %00 in an http request, it will alert with this message.
       Sometimes you may see false positives with sites that use cookies with
       urlencoded binary data, or if you're scanning port 443 and picking up
       SSLencrypted traffic . If you're logging alerted packets you can check
       the actual string that caused the alert. Also, the unicode alert is
       subject to the same false positives with cookies and SSL. Having the packet
       dumps is the only way to tell for sure if you have a real attack on your
       hands, but this is true for any content-based alert.

    4.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why do certain alerts seem to have 'unknown' IPs in ACID?

    A: The Snort database plug-in only logs packet information into the database
       when an alert is triggered by a rule (signature). Therefore, since alerts
       generated by pre-preprocessors such as portscan and mini-fragment have no
       corresponding rules, no packet information is logged beyond an entry
       indicating their occurance. As a consequence, ACID cannot display any
       packet-level (e.g. IP address) information for these alerts.

       For these particular alerts, certain statistics may show zero unique IP
       addresses, list the IP address as 'unknown', and will not list any packet
       information when decoding the alert.

    4.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Can priorities be assigned to Alerts using ACID?

    A: The quick answer to this question is no. ACID is at the mercy of the
       underlying database, since Snort doesn't assign priorities, ACID does not
       have priorities. Nevertheless, there are several work-arounds:

      It is possible to enforce priorities of sort at the database level by
      writing alerts of different severity to separate databases. For example,
      critical alerts such as buffer overflows can be written to one database,
      while scan alerts can be written to another. Then load two different versions
      of ACID, each pointing to a different instance of the database.

      With manual intervention Alert Groups (AG) can be used to assign priority.
      Essentially, this strategy entails creating an AG for each severity level and
      manually moving the alerts as they arrive into the appropriate group.

    4.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What about 'SMB Name Wildcard' alerts?

    A: Whitehats IDS177
       http://dev.whitehats.com/cgi/test/new.pl/Show?_id=netbios-name-query
       specifies traffic coming from *outside* of your local network. Allowing
        netbios traffic over public networks is usually very insecure.

       If the rule you are using also refers to ingres traffic only, then it
       would explain why you don't see a lot of false positives. For anyone
       reading that does see a lot of false postiives - if you change your rule
       to reflect the source address as being !$HOME (or whatever variable you
       use to represent your internal network), then you should see most of the
       false positives go away.

       The value of this chack is that a default administrative share C$ ADMIN$ or
       some such has been accessed. This shouldn't happen in normal use - when
       people want to share files they should be implicitely defining the shares
       and ACL.

    4.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: What the heck is a SYNFIN scan?

    A: SYNFIN scans got their name because there are both the
       SYN and FIN flags set.

    4.17 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte
       attack detected" false positives. How can I turn this detection off?

    A: These messages are produced by the http_decode preprocessor. If you wish
       to turn these checks off, add -unicode or -cginull to your http_decode
       preprocessor line respectively.

            preprocessor http_decode: 80 8080 -unicode -cginull

       Your own internal users normal surfing can trigger these alerts in the
       preprocessor. Netscape in particular has been known to trigger them.

       Instead of disabling them,try a BPF filter to ignore your outbound http
       traffic such as:

       snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80)

       This has worked very well for us over a period of 5-6 months and Snort is
       still very able to decode actual and dangerous cgi null and unicode attacks
       on our public web servers.

    4.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I test snort alerts and logging?

    A: Try a rule that will fire off all the time like:

       alert tcp any any -> any any (msg:"TCP traffic";)
     
       Also take a look at sneeze at http://snort.sourceforge.net/sneeze-1.0.tar
       Sneeze is a false positive generator that reads snort signatures and generates
       packets that will trigger the rules.

    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

    ***************************************
    Section 5: GETTING FANCY
    ***************************************

    5.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I process those snort logs into HTML reports?

    A1: One popular solution is SnortSnarf, a tool for producing HTML
        out of snort alerts for navigating through these alerts
        (and doing a whole lot more).
        http://www.silicondefense.com/snortsnarf/

    A2: If you want to set up logging to a database you could try ACID
        Some documentation describing the current ACID functionality:

        http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

    5.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I log to multiple databases?

    A: You can build redundancy by using multiple output plugins. Here are
       some examples.

       Multiple instantiations of the database plugin:

            output log_database: mysql, dbname=snort host=localhost user=xyz
            output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz

       Remote database and local tcpdump:

            output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
            output log_tcpdump: /var/log/snort.tcpdump

       Then you can replay the tcpdump file through snort to recreate the
       database.

    5.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How can I test snort without having an ethernet card or a connection to
       other computers?

    A: You have to use routing between two dummy devices:

            modprobe -a dummy (The dummy device has to be build by the kernel)

            ifconfig dummy0 192.168.0.1

            ifconfig dummy0:0 192.168.0.2

            telnet 192.168.0.3 12345

       It's important that the second IP is on the same interface and not e.g.
       dummy1 or dummy2 and that the IP you try to access is *not* one of those you
       put on the interfaces. Use snort's ability to hear in promiscious mode on an
       IP address range. (HOMEDIR=192.168.0.0/16)

    5.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How to start snort as a win32 service?

    A: Service support has been added to snort-1.6.3-patch2
       You can download the binary from:
       http://www.datanerds.net/~mike/dev/snort-1.6.3-patch2-service.zip
       
       Right now there is only a binary available.
       
       Snort Service FAQ:
       
       1) Use must use complete paths for everything. This means EVERYTHING.
       Command line, configuration files, everything. Examples:
       All include statements must be full paths. I.E. 'include scan-lib'
       is WRONG. 'include C:\snort\scan-lib' is CORRECT.
       All Command line options must be full paths. I.E. 'snort.exe -l
       ./log' is WRONG. 'snort.exe -l C:\snort\log' is CORRECT.
       
       2) YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND
       LINE(-l switch). If you do not set a logging directory the service
       will not start and, on NT/Win2k, your bootup will hang for about 4
       minutes.
       
       3) How to install the snort service.
       Run snort like you would via command line but add a '-I'. I.E.
       'snort.exe -c snort.conf -l ./log -h 192.168.1.0/24 -s' turns into
       'snort.exe -c C:\snort\snort.conf -l C:\snort\log -h 192.168.1.0/24 -s
       -I'
       YOU MUST USE COMPLETE PATHS FOR ALL FILES/DIRECTORIES.
       NOTE: You do NOT need to add the -D option to the command line when
       you install the service. If -D is not there it will automatically be
       added.
       
       4) How to remove the snort service.
       Run 'snort -R'.
       
       5) Does the Service run on 9x/ME.
       Yes. It uses a horrible hack to get it to work. Because of this when
       you boot up you will see a black command prompt window for about 5
       seconds before snort goes to the background. This service mode is
       considered a horrible hack and probably will not work in every
       situation.
       
       6) What functions are support by the NT service.
       Start and Stop currently. Pause and Resume will be implemented later
       (Code already exists but not working properly).
       
       Any questions, comments, flames please email mikedatanerds.net
       
    5.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?

    A: Yes, with additional software in the conrib directory. But this
       can be dangerous and is not recommended unless you know what you're
       doing.

       Guardian is available and is part of the contrib directory in
       the tarball distribution.

       Guardian is a perl script which uses snort to detect attacks,
       and then uses IPchains to deny any further attacks.

       The Guardian webpage can be found at:
       http://www.chaotic.org/~astevens/Guardian/index.html
       or you can use the mirror,
       http://www.cyberwizards.com/~midnite/Guardian/index.html

       But one caveat... running external binaries can also be a performance
       limiter and your should read the caution below...

       Christopher Cramer wrote:
    >
    > I'm sure this has been mentioned before in similar discussions, but this
    > feels like a _really_ bad idea. What if the bad guys realize what is
    > going on and make use of your blocking method as a DoS attack. All one
    > would have to do start sending a series of triggering packets with spoofed
    > IP addresses.
    >
    > Since I am no longer interested in breaking into your site, but rather
    > making your life hell, I don't worry about the resulting data getting back
    > to me. All I have to do is start proceeding up a list of IP addresses
    > that I think you should no longer be able to talk to. When you come in
    > the next morning, you find that you can no longer access the world.
    >
    > Just my $0.02.
    >

       Danger Will Robinson: Conventional wisdom says that
       auto-blocking is inherently dangerous.

       However, for those that like to live at the
       bleeding edge of tech (and the separate
       process scanning logs and processing
       firewall commands sounds like a good
       way to do this...):

       Please remember to include an exclusion list and put
       on them important sites such as root servers, other
       important dns servers (yours, and important sites for
       your users), and in general any host you don't want
       to receive phone calls about being DoSed when
       they are spoofed - usually inconveniently like that
       first time you actually manage to get on vacation....
       (i.e. imagine "Crisis: the ceo can't reach his favorite
       redlite.org game.... you have to fly back from the
       carribean asap....")

    5.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort complains about the "react" keyword...

    A: Rerun configure with the --enable-flexresp option and rebuild/reinstall.

    5.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I get snort to e-mail me alerts?

    A: Log to syslog and use swatch or logcheck.

    5.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How do I log a specific type of traffic and send alerts to syslog?

    A: An example addition to snort.conf:
     ruletype redalert
      {
        type alert
        output alert_syslog: LOG_LOCAL2
        output database: alert, postgresql, user=user dbname=snort password=pwd
      }

    [...snip...]

    Go into your local.rules and make sure you have something like:

     redalert tcp any any -> any any (msg:"REDRUM REDRUM"; content:"redalerttest")

    Then just do a telnet and type 'redalerttest'. Presto, alerts to both.

     
    5.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Is it possible to have snort call an external program when an alert is
       raised?

       Calling another program from within your main IDS loop is
       generally a bad idea. Having your IDS block while waiting
       for <something> of dubious reliability and origin nevermind
       timing while the packets are piling up is inviting packet loss.
       Especially with the already oh-so-consistent "Gee I think
       I'll go away for a minute" rock steady even cpu slicing
       Windows gives you (that's sarcasm, sorry). Go with the
       second approach.... process invokation is expensive on
       Windows.

       You want to keep that IDS task humming and munching
       packets as efficiently as possible with as few interruptions
       as possible, imho, and not be invoking the penalty of
       process invocation.... particularly on Windows where
       process invocation is much much heavier task than *nix.

       Even in a secondary process... You'll probably find
       something that stays "awake" all the time will work out
       much more nicely than something that gets "woken up"
       on a per alert basis for the aforementioned reasons.
      
       As a better alternative go check out swatch or logwatch.

    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

    ***************************************
    Section 6: PROBLEMS
    ***************************************

    6.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I think I found a bug in snort. Now what?

    A: get some more diagnostic information and post it to "snort-users" at
        http://www.sourceforge.net

        To get diagnostic information compile snort as either:

            make clean; make CFLAGS=-ggdb

            or
            make clean; make "CFLAGS=-ggdb -DDEBUG"

        trace coredump as:

            gdb /path/to/snort /path/to/snort/core

            gdb> where
            gdb> bt
            gdb> print $varname, varname, $$varname etc..

        or if corefile isn't generated snort should be started as

            gdb snort

            gdb> run <snort args without -D switch :-)>
                                    

    6.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: SMB alerts aren't working, what's wrong?

    A: Make sure you include "--enable-smbalerts" when you run "./configure".
     

    6.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?

    A: This was an internal diagnostic message triggered by an old bug
       in early versions of the defragmentation preprocessor. Upgrade to
       to the latest version of snort.

    6.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort says "Ran Out Of Space". Huh?

    A: This is an internal diagnostic message when the defragmentation
        preprocessor runs into its ~32MB hard allocation space limit.
        Tell Dragos about it <drkyx.net>.

    6.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I'm having problems getting snort to log to a database...

    A: There were some issues with snort 1.6.3 writes

       Lee wrote..
    > > Initializing rule chains...
    > > log_database: Database type is mysql
    > > log_database: Database name is snort
    > > log_database: Host set to localhost
    > > log_database: User set to root
    > > Problem obtaining SENSOR ID (sid) from mysql->snort->event

       In version 1.6.3, it turns out that many people have seen this error
       because they did not compile in support for their database. It should
       be fixed in snort 1.7

       A quick and easy "fix" for older snort versions is to add -lm to
       either LIBS or LDFLAGS in the Makefile. e.g.

       LIBS = -lm -lmysqlclient -lpcap -lsocket -lnsl

       Anyway, if you are still having this problem you can take a look at
       the updated the installation and configuration information at the
       following web site.

       http://www.incident.org/snortdb

    6.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: My ACID db connection times-out when performing long operations (e.g.
       deleting a large number of alerts)

    A: PHP has an internal variable set to limit the length an script can
       execute. It is used to prevent poorly written code from executing
       indefinitely. In order to modify the time-out value, examine the
       'max_execution_time' variable found in the 'php.ini' configuration file.

    6.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why does snort report "Packet loss statistics are unavailable under Linux"?

    A: The Linux IP stack doesn't report lost packet stats. This may be changing
        in version 2.4 of Linux, but for now you just don't get them. Try one
        of the BSDs, they work just fine. This also has been recently fixed with
        the 2.4 kernel in the new version of libpcap... upgrade kernels and libpcap
        and it should now work.

    6.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: My /var/log/snort directory get very large.....

    A: Try this script to archive the files.

    #!/bin/sh
    #
    # Logfile roation script for snort writen by jamesoelwood.net.
    #
    # This script is pretty basic. We start out by setting some vars.
    # Its job is tho rotate the days logfiles, e-mail you with what
    # it logged, keep one weeks worth of uncompressed logs, and also
    # keep compressed tgz files of all the logs. It is made to be run
    # at midnight everynight. This script expects you to have a base
    # dir that you keep all of your logs, rule sets etc in. You can
    # see what sub dirs it expects from looking at the var settings
    # below.
    #
    # Things to note in this script is that we run this script at 12
    # every night, so we want to set the dirdate var the day the script
    # runs minus a day so we label the files with the correct day. We
    # Then create a dir for the days logs, move the log files into
    # todays dir. As soon as that is done restart snort so we don't miss
    # anything. Then delete any logs that are uncompressed and over a
    # week old. Then compress out todays logs and archive them away, and
    # end up by mailling out the logs to you.
    #

    # Define where you have the base of your snort install

    snortbase=/usr/snort

    # Define other vars
    # logdir - Where the logs are kept
    # oldlogs - Where you want the archived .tgz logs kept
    # weeklogs - This is where you want to keep a weeks worth of log files uncompressed
    # dirdate - Todays Date in Month - Day - Year format
    # olddirdate - Todays date in the same format as dirdate, minus a week

    logdir=$snortbase/log
    oldlogs=$snortbase/oldlogs
    weeklogs=$snortbase/weeklogs

    # When I first wrote this script, I only ran it on BSD systems. That was a
    # mistake, as BSD systems have a date command that apperently lets you walk the
    # date back pretty easily. Well, some systems don't have this feature, so I had
    # to change the way that dates are done in here. I left in the old way, because
    # it is cleaner, and I added in a new way that should be portable. If anyone
    # has any problems, just let me know and I will try to fix it.
    #
    # You have to change the system var to either bsd or other. Set it to bsd if
    # your system supports the "-v" flag. If you are not sure, set it to other.

    system=bsd

    if [ $system = bsd ]
    then
     dirdate=`date -v -1d "+%m-%d-%y"`
     olddirdate=`date -v -8d "+%m-%d-%y"`
    elif [ $system = other ]
     month=`date "+%m"`
     yesterday=`expr \`date "+%d"\` - 1`
     eightday=`expr \`date "+%d"\` - 8`
     year=`date "+%y"`

     dirdate=$month-$yesterday-$year
     olddirdate=$month-$eightday-$year
    fi

    # Create the Dir for todays logs.

    if [ ! -d $weeklogs/$dirdate ]
    then
     mkdir $weeklogs/$dirdate
    fi

    # Move the log files into todays log dir. This is done with
    # a for loop right now, because I am afriad that if alot is
    # logged there may be to many items to move with a "mv *"
    # type command. There may a better way to do this, but I don't
    # know it yet.

    for logitem in `ls $logdir` ; do
     mv $logdir/$logitem $weeklogs/$dirdate
    done

    # Kill and restart snort now that the log files are moved.

    kill `cat /var/run/snort_fxp0.pid`

    # Restart snort in the correct way for you

    /usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
    -c /usr/snort/etc/08292k.rules > /dev/null 2>&1

    # Delete any uncompressed log files that over a week old.

    if [ -d $weeklogs/$olddirdate ]
    then
     rm -r $weeklogs/$olddirdate
    fi

    # Compress and save the log files to save for as long as you want.
    # This is done in a sub-shell because we change dirs, and I don't want
    # to do that within the shell that the script runs in.

    (cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)

    # Mail out the log files for today.

    cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" youdomain.com
    cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" youdomain.com

    6.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why does the 'error deleting alert' message occur when attempting to delete
       an alert with ACIO?

    A: Most likely the DB user configure in ACID does not have sufficient
       privileges. In addition to those privileges granted to log the alerts into
       the database (INSERT, SELECT), DELETE is also required.

       This permission related issue can be confirmed by manually inserting a row
       into the database, then trying to delete it.

       1. login to MySQL with the same credentials (i.e. username, password) as you
          use in ACID.

       e.g. % mysql -u -p

       2. insert a test row into the event table

       mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0");

       (this assumes that you don't already have a row with an event ID=1000000. If
        you do just choose another event id #)

       3. now delete this newly inserted row

       mysql> DELETE FROM event WHERE sid=1 AND cid=10000000;

       If you where not able to delete, this confirms that this is a permission
       problem. Re-login to mysql as root, and issue a GRANT command (giving the
       DELETE permission) to the ACID DB user.

       e.g. GRANT DELETE on snort.* to acidlocalhost

       (this assumes that my alert database is 'snort', username is 'acid', and
       logging from the 'localhost')

    6.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: ACID appears to be broken in Lynx

    A: This is a known issue. Lynx mangles some of the form arguments appended to
       the URL. It's resolution is being investigated, but use Netscape, Opera, or
       IE in the mean time.

    6.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong.

    A: You use older libpcap version with recent linux kernel. There should be
        no problem with it as long as your kernel supports SOCK_PACKET socket
        type. To get rid off the warning message however, you'll have to upgrade
        to some recent version of libpcap. (a copy from www.tcpdump.org is
        recommended).

    6.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument

    A: It's because there's another program running using the DLPI service.
        The HP-UX implementation doesn't allow more than one libpcap program
        at a time to run, unlike Linux. (from snort.c)

    6.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I am getting snort dying with 'can not create file' error and I have
       plenty of diskspace, what's wrong?

    A: You may run out of free inodes, which basically also means you can not
        create more files on the partition. The obvious solution is to rm some ;-)

    6.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I am using Snort on Windows and receive an OpenPcap() error upon startup:
            
            ERROR: OpenPcap() device open:
            Error opening adapter

       What's wrong?

    A: Either winpcap is not installed, or you are using an incompatible version.
       Try upgrading to the latest version (2.1 as of 4/11/01). It is available
       from http://netgroup-serv.polito.it/winpcap/

    6.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort is not logging to my database

    A1: You did not set up the database plugin in your configuration file.

    A2: You are using an older database schema, and should update it by running the
        create scripts from the /contrib directory.

    A3: You are using a command line option that overrides what you have in your
        configuration file. This is most often -A or -s. NOTE: If you wish to log
        to syslog as well, specify so in your configuration file rather then the
        command line.

    A4: There is a problem with your database configuration itself. Make sure the
        user you specify has the correct permissions, or that the database is even
        up and running.

    6.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Portscans are not being logged to my database

    A: You need to change the output facility to 'alert' rather then 'log'. The
       portscan preprocessor calls output plugins registered as 'alert' plugins
       rather then 'log'.

          output database: alert, mysql, user=snort dbname=snort host=localhost

    6.17 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Snort is not logging to syslog

    A1: You are using a command line option that overrides what you have in your
        configuration file. This is most often -A.

    A2: It may be logging to the wrong place. Make sure syslog is configured
        correctly.

    6.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERs var

    A: Try adding /32 netmasks to those addresses:

       var DNS_SERVERS [xxx.xx.0.3/32,xxx.xxx.0.2/32]

       And make sure the $DNS_SERVERS variable is on the portscan-ignorehosts line:

       preprocessor portscan-ignorehosts: $DNS_SERVERS

    6.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why chrooted snort die when I send it a SIGHUP?

    A: It's a known problem with permissions. Workaround, restart snort instead.

       But the short answer is this: Due to the way the execv(2) call works, it
       "Restarts" snort from scratch. This has the odd side effect of making
       HUPS to a chrooted snort become recursive. For example, chroot to /snort.
       It now sees /snort as / . Now HUP snort. Snort now expects to have
       /snort/snort as /. In other words, you have to re-create your directories
       for your jail inside it. 4 HUPS and you will be in
       /snort/snort/snort/snort.

    6.20 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: My snort crashes, how do I restart it?

    A: Try this shell script or daemontools

    #!/bin/sh
    #snorthup: Snort Restarter and Crash Logger
    #(drkyx..net with help from kmaxwellsuperpages.com)
    $conf = "snort.conf"
    for $IFACE in fxp0 fxp1
    do
        if [ -f /var/run/snort_$IFACE.pid ]; then
            if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
                /usr/bin/logger -p user.notice snorthup: removing bogus pidfile
                /usr/bin/logger -p user.notice snorthup: restarting absentee snort on $IFACE with conf file $i
                rm -f /var/run/snort_$IFACE.pid
                /usr/local/bin/snort -D -c $conf -i $IFACE
            fi;
       else
           /usr/bin/logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf
           /usr/local/bin/snort -D -c $conf -i $IFACE
       fi
    done

    6.21 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch
       hub

       Basically it's a function of the design and all autoswitching hubs will
       behave in this way. It's the result of just not being able to stuff all
       the 100 Mbps traffic into the 10Mbps CSMA/CD. One solution I use to the
       problem is these new cheapie four port switches... put all the 10Mbps on
       it's own hub/switch/whatever and then route that to the 100Mbps hub I use
       for monitoring but put a cheapie switch in between that works as an
       adapter basically mediating the 10 up to 100 and vice versa.

       The bad thing about hubs that _don't_ have this "feature", is that
       in order to support 10bt devices, they throttle the entire hub speed
       down to 10bt if there is one or more 10bt only devices hooked up to it.
       I have seen this behavior (and did the bandwidth tests to proove it) on
       old 3com office connect 10/100 hubs (newer ones do the 2 hubs with a switch
       thing.) So, the point of what I am saying is, since these old hubs have
       no switching capabilities, and they don't know which port the traffic is
       supposed to go to (no switch=no arp table), they have to throttle bandwidth.

       None of the hubs and switches have any significant amount of storage
       on the ethernet chip sets, and therefore _any_ non-layer-three box that
       has 100 -> 10 capability can only handle small amounts of traffic before
       the chip set drops incoming packets on the floor. Guess one might call
       that throttled bandwidth, but at the expense of retransmission timeouts
       and retransmissions at the end nodes.
       
       If the box has a backplane, multiple cards and some network management
       functions, there is a higher _probability_ the manufacturer has some
       additional buffering going on to keep dropped packets from happening
       on at least small bursts of traffic.

       In the most generic of terms, if a box supports 100 "full-duplex", then
       its a switch (regardless of what the manufacturer calls it). If it
       supports 100 -> 10, there is 50-50 chance the box has some MAC address
       awareness. If a box only supports 10 -> 10 or 100 -> 100, there is a
       high probability it is not MAC address aware and therefor functions
       like a hub.

       Many hubs have different back planes, ie one for 10 one for 100.

       From a definition standpoint, a hub segment whether it be 10 or 100 is
       a single broadcast/collision domain. You will not see ANY traffic
       between segements without a bridge or layer3 route function between
       them.
      
       In a switched environment, typically each port is a separate collision
       domain but one big broadcast domain. VLANs can be created in some to
       separate into separate broadcast domains and some have built in layer
       3 functionality which basically connects a router into the backplane
       so that it can route between vlans at wire speed.
      
       Think of a switch as a bridge with many ports. (that's what it is).
       Some switches support port mirroring or span ports. When you want to
       "sniff" frames in a switched environment (beyond just
       broadcast/multicast traffic) you need to be able to "see" the unicast
       traffic (telnet,http for example). You set up a port to mirror
       traffic from the ports that have the devices your interested in to the
       port you have your analysis device plugged into. Without doing so,
       you don't see the unicast conversations because the traffic is getting
       "switched" accross the backplane so pc on port 1 talks to server on
       port 2 and no other ports get this traffic. If server on port 2
       broadcasts or multicasts, the information is flooded out all ports.
       (multicast can be controlled on some switches so only those ports that
       have listening stations get the traffic. Not all switches have these
       capabilities.
      
       An excellent book on the topic is Interconnections by Radia Perlman.
       (Bridges and Routers).
      
       Additional caveat: if you deal with full duplex on a switched port,
       only a tap would save you - users have succesfully used Shomiti's
       ones on 100MB FD ports, and used two Snort instances, capturing
       traffic on both directions. Port mirroring didn't work in that case ...

    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

    --END OF FAQ v1.8.1--

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users