michael_b Posted April 26, 2015 Report Posted April 26, 2015 (edited) Good guide, however less clearly explained than the Snort setup guide. After completing the guide, all rules are DISABLED, you have to add the complete list of classifications in the enablesid.conf, before rules become enabled. But that helps in learning how it works, so thanks! However, the real issue I'm having is that the igmp protocol doesn't seem to be supported. Upon testing Snort, I receive an error: Invalid protocol name for "ip_proto" rule option: "igmp". Therefore, I have disabled these rules in my disable.conf (pcre:ip_proto:igmp). Any idea how to enable support for the igmp protocol? (21 rules are disabled by this regular expression, so it is not such a big deal, but still). UPDATE: Hmm it's pretty strange, cause Snort doesn't throw an error on 'ip_proto:2', even though that is exactly the same as syaing 'ip_proto:igmp'. Maybe a very small issue in the protocol number to name link? Can that link be changed manually? Edited April 26, 2015 by michael_b Quote
michael_b Posted April 26, 2015 Author Report Posted April 26, 2015 Ok, found the cause. It seems on Windows there is a protocols file: C:\Windows\System32\drivers\etc\protocol It didn't contain number 2 ;). Quote
michael_b Posted April 26, 2015 Author Report Posted April 26, 2015 And in response to my comment about the fact that all rules are disabled by default, it seems to be more complicated than that. I don't quite understand how the pulledpork conf (ips_policy) and the snort.conf work together. However, that is more a pulledpork issue, so I asked the question on the users list: http://sourceforge.net/p/snort/mailman/snort-users/thread/DUB119-W52031FD174234DE21E7744A5EA0%40phx.gbl/#msg34041805. Quote
Morpheus Posted April 26, 2015 Report Posted April 26, 2015 I'm not real sure about these items as I haven't used PP in a very long time. I usually pull it up when something goes wrong to fix. 1) You are saying that running the test for Snort 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' produces this error: Invalid protocol name for "ip_proto" rule option: "igmp". I ran the test (d:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T) and am not seeing this error? You said there is something missing in the 'C:\Windows\System32\drivers\etc\protocol' file: It didn't contain number 2 Here is the file: # Copyright (c) 1993-2006 Microsoft Corp. # # This file contains the Internet protocols as defined by various # RFCs. See http://www.iana.org/assignments/protocol-numbers # # Format: # # <protocol name> <assigned number> [aliases...] [#<comment>] ip 0 IP # Internet protocol icmp 1 ICMP # Internet control message protocol ggp 3 GGP # Gateway-gateway protocol tcp 6 TCP # Transmission control protocol egp 8 EGP # Exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # User datagram protocol hmp 20 HMP # Host monitoring protocol xns-idp 22 XNS-IDP # Xerox NS IDP rdp 27 RDP # "reliable datagram" protocol ipv6 41 IPv6 # Internet protocol IPv6 ipv6-route 43 IPv6-Route # Routing header for IPv6 ipv6-frag 44 IPv6-Frag # Fragment header for IPv6 esp 50 ESP # Encapsulating security payload ah 51 AH # Authentication header ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6 ipv6-nonxt 59 IPv6-NoNxt # No next header for IPv6 ipv6-opts 60 IPv6-Opts # Destination options for IPv6 rvd 66 RVD # MIT remote virtual disk What exactly needs to be added? igmp 2 IGMP # Internet Group Management Protocol It this something that should be included? I can automatically search the 'C:\Windows\System32\drivers\etc\protocol' file when the modder.vbs runs, and add the setting if it's missing. As a note: PP is extremely powerful rule management tool, and it's been my experience that asking question in the snort-users group will get answers faster than in the pullerpork-users group. Quote
michael_b Posted April 26, 2015 Author Report Posted April 26, 2015 (edited) Hello Morpheus, 1) As I didn't know yet how the enablesid.conf and the ips_policy exactly worked together with the snort.conf, I enabled all rules for my first tests. (I enabled them all through the enablesid.conf, by adding all possible classificactions, preprocessor, protocol-ftp, blacklist, etc.). Now if you do that, there are about 24095 rules that become enabled. 25 of them concern the IGMP protocol. Snort knows about this protocol, but apparently it needs the number (2 in this case). Two out of the 25 rules were specified with 'igmp' (not the number), Snort looks at the Windows protocols file to translate it to a protocol number. Problem was that not all protocol numbers are included by default in that file. So yes, I think it would be good to add that in the modder.vbs. By the way, I also had to add '132' (SCTP). It's possible that in future updates, other protocol numbers will be necessary (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) 2) Yes, I've posted two questions in the snort users list today, and received an answer maximum 30 minutes later. The link between PulledPork and Snort is becoming very clear. Thanks for these guides, you must have put a lot of work in them. Edited April 26, 2015 by Morpheus Fixed the URL link Quote
Morpheus Posted April 26, 2015 Report Posted April 26, 2015 (edited) Ok, thanks. I have added both protocols to the modder.vbs file that will activate on the first reboot. igmp 2 IGMP # Internet Group Management Protocol stcp 132 SCTP # Stream Control Transmission Protocol Hello Morpheus, 1) As I didn't know yet how the enablesid.conf and the ips_policy exactly worked together with the snort.conf, I enabled all rules for my first tests. (I enabled them all through the enablesid.conf, by adding all possible classificactions, preprocessor, protocol-ftp, blacklist, etc.). Can you post your enablesid.conf that enables all the rules? Edited April 26, 2015 by Morpheus Quote
michael_b Posted April 27, 2015 Author Report Posted April 27, 2015 (edited) Sure, I think I got it from the snort archive, a reply to a question of you yourself. I commented out the full list, and enabled only some of them. If you remove the enabled items and then uncomment them all, all my rules became enabled. # example enablesid.conf v3.1 # SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file # will be set back to their ORIGINAL state as it was read when they were # originally extracted from the source tarball! # Example of modifying state for individual rules # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 # Example of modifying state for rule ranges # 1:220-1:3264,3:13010-3:13013 # Comments are allowed in this file, and can also be on the same line # As the modify state syntax, as long as it is a trailing comment # 1:1011 # I Disabled this rule because I could! # Example of modifying state for MS and cve rules, note the use of the : # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, # and all MS00 and all cve 2000 related sids! These support regular expression # matching only after you have specified what you are looking for, i.e. # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) # for this. # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ # Example of using the pcre: keyword to modify rulestate. the pcre keyword # allows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. For more information # about regular expression syntax: http://www.regular-expressions.info/ # The following example modifies state for all MS07 through MS10 # pcre:MS(0[7-9]|10)-\d+ # Example of modifying state for specific categories entirely (see README.CATEGORIES) # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp # Any of the above values can be on a single line or multiple lines, when # on a single line they simply need to be separated by a , # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 # The modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment. preprocessor protocol-ftp server-iis server-mssql server-mysql os-windows malware-backdoor malware-cnc malware-other malware-tools browser-chrome browser-firefox browser-id browser-other exploit-kit blacklist #full list: #app-detect #blacklist #browser-chrome #browser-firefox #browser-ie #browser-other #browser-plugins #browser-webkit #content-replace #decoder #dos #exploit-kit #file-executable #file-flash #file-identify #file-image #file-java #file-multimedia #file-office #file-other #file-pdf #indicator-compromise #indicator-obfuscation #indicator-scan #indicator-shellcode #malware-backdoor #malware-cnc #malware-other #malware-tools #netbios #os-linux #os-mobile #os-other #os-solaris #os-windows #policy-multimedia #policy-other #policy-social #policy-spam #preprocessor #protocol-dns #protocol-finger #protocol-ftp #protocol-icmp #protocol-imap #protocol-nntp #protocol-pop #protocol-rpc #protocol-scada #protocol-services #protocol-snmp #protocol-telnet #protocol-tftp #protocol-voip #pua-adware #pua-other #pua-p2p #pua-toolbars #server-apache #server-iis #server-mail #server-mssql #server-mysql #server-oracle #server-other #server-samba #server-webapp #sql #x11 I can post a screenshot of the amount of enabled rules in the PulledPork command line later today if you wish. I use the following command to update the rules without redownload: perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T -nP Edited April 27, 2015 by michael_b Quote
Morpheus Posted April 27, 2015 Report Posted April 27, 2015 (edited) It appears all that is needed is to add each of the rules file into the enablesid.conf file? If I remember right there is a global way to do this without having to add a list of rules? Thanks... Edited April 27, 2015 by Morpheus Quote
michael_b Posted April 27, 2015 Author Report Posted April 27, 2015 (edited) Using the following exact enablesid.conf enables all (5 exceptions) rules: # example enablesid.conf v3.1 # SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file # will be set back to their ORIGINAL state as it was read when they were # originally extracted from the source tarball! # Example of modifying state for individual rules # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 # Example of modifying state for rule ranges # 1:220-1:3264,3:13010-3:13013 # Comments are allowed in this file, and can also be on the same line # As the modify state syntax, as long as it is a trailing comment # 1:1011 # I Disabled this rule because I could! # Example of modifying state for MS and cve rules, note the use of the : # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, # and all MS00 and all cve 2000 related sids! These support regular expression # matching only after you have specified what you are looking for, i.e. # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) # for this. # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ # Example of using the pcre: keyword to modify rulestate. the pcre keyword # allows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. For more information # about regular expression syntax: http://www.regular-expressions.info/ # The following example modifies state for all MS07 through MS10 # pcre:MS(0[7-9]|10)-\d+ # Example of modifying state for specific categories entirely (see README.CATEGORIES) # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp # Any of the above values can be on a single line or multiple lines, when # on a single line they simply need to be separated by a , # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 # The modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment. app-detect blacklist browser-chrome browser-firefox browser-ie browser-other browser-plugins browser-webkit content-replace decoder dos exploit-kit file-executable file-flash file-identify file-image file-java file-multimedia file-office file-other file-pdf indicator-compromise indicator-obfuscation indicator-scan indicator-shellcode malware-backdoor malware-cnc malware-other malware-tools netbios os-linux os-mobile os-other os-solaris os-windows policy-multimedia policy-other policy-social policy-spam preprocessor protocol-dns protocol-finger protocol-ftp protocol-icmp protocol-imap protocol-nntp protocol-pop protocol-rpc protocol-scada protocol-services protocol-snmp protocol-telnet protocol-tftp protocol-voip pua-adware pua-other pua-p2p pua-toolbars server-apache server-iis server-mail server-mssql server-mysql server-oracle server-other server-samba server-webapp sql x11 Edited April 27, 2015 by michael_b Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.