Comments for Amar Kulo http://blog.amarkulo.com System administration, photography and DIY projects Mon, 15 Feb 2010 07:49:56 +0000 http://wordpress.org/?v=abc hourly 1 Comment on How to install Snort Intrusion Detection System on Windows by Amar Kulo http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-241 Amar Kulo Mon, 15 Feb 2010 07:49:56 +0000 http://blog.amarkulo.com/?p=267#comment-241 Sorry, it was my mistake that one extra "\" was left behind on preprocesor line. Now it's removed. Regardin logs, if you are using -l path then check if snort can write to log directory. Instruction says that <em>config detection: search-method ac-bnfa max_queue_events 5</em> should be written on one line, not on two, and if you are writing them on 2 then you need "\" on the end of the first line. Sorry, it was my mistake that one extra “\” was left behind on preprocesor line. Now it’s removed.

Regardin logs, if you are using -l path then check if snort can write to log directory.

Instruction says that config detection: search-method ac-bnfa max_queue_events 5 should be written on one line, not on two, and if you are writing them on 2 then you need “\” on the end of the first line.

]]> Comment on How to install Snort Intrusion Detection System on Windows by gregg http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-240 gregg Mon, 15 Feb 2010 01:22:39 +0000 http://blog.amarkulo.com/?p=267#comment-240 Regarding ennguyennguyen's problem with max_queue_events: The instructions say to use this: config detection: search-method ac-bnfa max_queue_events 5 But this is missing a "\" after "ac-bnfa" to ensure this is interpreted as one long command without an end-of-line. Alternatively, you can simply write it as config detection: search-method ac-bnfa max_queue_events 5 As for problems incurred by an extra trailing "\", make sure there is nothing on the line that follows, so that the command interpreter will pick up the end-of-line. "\" is just for readability. If your code is all mashed up so that one command follows another without a blank line, and you are using trailing "\", then the interpreter won't know where parameters end and the next command begins. For example, the code segment: preprocessor ftp_telnet_protocol: \ preprocessor ftp_telnet_protocol: \ will try to be read as preprocessor ftp_telnet_protocol: preprocessor ftp_telnet_protocol: which is nonsense. Make sure you have newlines where newlines are needed, and "\" where the command is NOT supposed to end. Regarding ennguyennguyen’s problem with max_queue_events:

The instructions say to use this:
config detection: search-method ac-bnfa
max_queue_events 5

But this is missing a “\” after “ac-bnfa” to ensure this is interpreted as one long command without an end-of-line. Alternatively, you can simply write it as
config detection: search-method ac-bnfa max_queue_events 5

As for problems incurred by an extra trailing “\”, make sure there is nothing on the line that follows, so that the command interpreter will pick up the end-of-line. “\” is just for readability. If your code is all mashed up so that one command follows another without a blank line, and you are using trailing “\”, then the interpreter won’t know where parameters end and the next command begins. For example, the code segment:

preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \

will try to be read as
preprocessor ftp_telnet_protocol: preprocessor ftp_telnet_protocol:

which is nonsense.

Make sure you have newlines where newlines are needed, and “\” where the command is NOT supposed to end.

]]> Comment on How to install Snort Intrusion Detection System on Windows by ennguyennguyen http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-208 ennguyennguyen Wed, 13 Jan 2010 19:00:08 +0000 http://blog.amarkulo.com/?p=267#comment-208 Amar Kulo, why can't my snort write log file into folders? I try many ways, but that still doesn't work. Amar Kulo, why can’t my snort write log file into folders? I try many ways, but that still doesn’t work.

]]> Comment on How to install Snort Intrusion Detection System on Windows by ennguyennguyen http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-207 ennguyennguyen Wed, 13 Jan 2010 13:11:37 +0000 http://blog.amarkulo.com/?p=267#comment-207 Yes, I'm waiting for you. Actually, I decided to ignore IDSCenter. Instead of IDSCenter, I run snort through command line. BUT still I have trouble with snort. I try apacheDoS and guess what, Snort doesn't write any log into alert.ids. But when I using nmap, Snort writes log. What wrong with that? Can you suggest me some more tools to test Snort? Thank you so much. Yes, I’m waiting for you. Actually, I decided to ignore IDSCenter. Instead of IDSCenter, I run snort through command line.

BUT still I have trouble with snort. I try apacheDoS and guess what, Snort doesn’t write any log into alert.ids. But when I using nmap, Snort writes log. What wrong with that? Can you suggest me some more tools to test Snort?

Thank you so much.

]]> Comment on How to install Snort Intrusion Detection System on Windows by Amar Kulo http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-206 Amar Kulo Wed, 13 Jan 2010 10:10:17 +0000 http://blog.amarkulo.com/?p=267#comment-206 Hmm I have tested my conf and still don't have problem with trailing \. I have updated post with my snort.conf file just for the records. Regarding stream5 preprocessor, I don't know why is it complaining because stream5 should be in dynamic engine, there is no separate preprocessor .dll file for it. Test with my config file and see what happens. I don't use IDSCenter, but I will give it a go to see what kind of problems are you having. Hmm I have tested my conf and still don’t have problem with trailing \. I have updated post with my snort.conf file just for the records.

Regarding stream5 preprocessor, I don’t know why is it complaining because stream5 should be in dynamic engine, there is no separate preprocessor .dll file for it.

Test with my config file and see what happens.

I don’t use IDSCenter, but I will give it a go to see what kind of problems are you having.

]]> Comment on How to install Snort Intrusion Detection System on Windows by ennguyennguyen http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-205 ennguyennguyen Tue, 12 Jan 2010 10:49:38 +0000 http://blog.amarkulo.com/?p=267#comment-205 Snort really is a big mess. When I can run snort in command line, I failed to start Snort in IDSCenter. IDSCenter refrase the snort.conf in somekind of structure and it cause Snort failed to start. Can you post an entry show us how to configure IDSCenter? I'm going crazy with this. Exactly, I have problems with the preprocessor bo. preprocessor bo preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows timeout 180 preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, preprocessor stream5_udp: ignore_any_rules preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: default_server preprocessor ftp_telnet: \ preprocessor ftp_telnet_protocol: \ preprocessor ftp_telnet_protocol: \ preprocessor ftp_telnet_protocol: \ preprocessor SMTP: \ preprocessor ssh: server_ports { 22 } \ preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted preprocessor dcerpc2: memcap 102400, events [co ] preprocessor dcerpc2_server: default, policy WinXP, \ preprocessor dns: ports { 53 } enable_rdata_overflow This mess, from stream5 to the end of this. I always have trouble like "unknown preprocessor stream5" or "must configure http inspect global configuration first" and so far, ftp_telnet, bla bla bla.... Thanks!!!! Snort really is a big mess. When I can run snort in command line, I failed to start Snort in IDSCenter. IDSCenter refrase the snort.conf in somekind of structure and it cause Snort failed to start. Can you post an entry show us how to configure IDSCenter? I’m going crazy with this.

Exactly, I have problems with the preprocessor bo.

preprocessor bo

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: default_server
preprocessor ftp_telnet: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor SMTP: \
preprocessor ssh: server_ports { 22 } \
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917
7918 7919 7920 }, trustservers, noinspect_encrypted
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
preprocessor dns: ports { 53 } enable_rdata_overflow

This mess, from stream5 to the end of this. I always have trouble like “unknown preprocessor stream5″ or “must configure http inspect global configuration first” and so far, ftp_telnet, bla bla bla….

Thanks!!!!

]]> Comment on How to install Snort Intrusion Detection System on Windows by ennguyennguyen http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-204 ennguyennguyen Tue, 12 Jan 2010 10:13:02 +0000 http://blog.amarkulo.com/?p=267#comment-204 I follow your step, ignore the last "/". Snort run smoothly, but there still an error: ERROR: c:\snort\etc\snort.conf(273) Unknown rule type: max_queue_events. I wonder what this problem is. I follow your step, ignore the last “/”. Snort run smoothly, but there still an error:

ERROR: c:\snort\etc\snort.conf(273) Unknown rule type: max_queue_events.

I wonder what this problem is.

]]> Comment on How to install Snort Intrusion Detection System on Windows by Amar Kulo http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-203 Amar Kulo Fri, 08 Jan 2010 19:41:37 +0000 http://blog.amarkulo.com/?p=267#comment-203 It could be, I will test it on Monday and fix it in post if it is correct. Tnx for the tip anyway. :-) It could be, I will test it on Monday and fix it in post if it is correct.

Tnx for the tip anyway. :-)

]]> Comment on How to install Snort Intrusion Detection System on Windows by mathben http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-202 mathben Fri, 08 Jan 2010 19:38:01 +0000 http://blog.amarkulo.com/?p=267#comment-202 When i keep the ' \' at the end of this configuration, i have this error : ERROR: Invalid argument: preprocessor Fatal Error, Quitting.. When i keep the ‘ \’ at the end of this configuration, i have this error :

ERROR: Invalid argument: preprocessor
Fatal Error, Quitting..

]]> Comment on How to install Snort Intrusion Detection System on Windows by Amar Kulo http://blog.amarkulo.com/how-to-install-snort-ids-on-windows/comment-page-1#comment-201 Amar Kulo Fri, 08 Jan 2010 19:28:17 +0000 http://blog.amarkulo.com/?p=267#comment-201 Hmm, I don't think so but I will check. Reason why / is there is because / says that next line also is part of preprocessor configuration but I will check anyway. Tnx for your comment. Hmm, I don’t think so but I will check.

Reason why / is there is because / says that next line also is part of preprocessor configuration but I will check anyway.

Tnx for your comment.

]]>