Snort IDS tips for VARs a

Snort configuration -- Core preprocessors

Preprocessors are functions called after a packet has been decoded, but before the detection engine is invoked. I call the following "core" preprocessors because they support functionality common to many protocols. Flow provides a single mechanism for Snort to track conversations, and certain preprocessors (like sfPortscan) rely on Flow.

preprocessor flow: stats_interval 0 hash 2

The defaults tell Flow to never dump statistics to standard out and to use the "hash by integer" method to track flows. Both values are acceptable.

The Frag3 preprocessor provides target-based IP defragmentation. In other words, operators can tell Snort how it should treat fragmented IP traffic directed to various hosts on the monitored network. The default values are:

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

With these options, Frag3 will monitor a maximum of 65536 simultaneous fragmented packets. The policy statement tells Frag3 to treat target systems as Windows TCP/IP stacks would and to generate alerts when odd fragmented traffic is detected.

The Stream4 preprocessor reassembles fragmented TCP traffic. It provides a means for Snort to keep track of connections without relying on simply checking for the presence of an ACK flag in a TCP segment. The default values are:

preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble

These values activate Stream4 and tell it to not report when it detects potentially odd activity, like overlapping TCP segments.


Snort: Understanding the configuration file

 Introduction: Upgrade to Snort 2.6.1.2
 The snort.conf file
 Defining IP ranges of interest
 Defining ports of interest
 Core preprocessors
 Non-dynamic preprocessors
 Conclusion

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.


This was first published in January 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: