Snort configuration -- Non-dynamic preprocessors
This segment of the Snort configuration tip deals with non-dynamic preprocessors.
Traditionally Snort has relied on preprocessors that are compiled into Snort. Three preprocessors enabled in the stock snort.conf include HTTP Inspect, RPC Decode and BO (Back Orifice). The HTTP Inspect preprocessor is a generic HTTP decoder that examines HTTP requests and replies.
preprocessor http_inspect: global
iis_unicode_map /usr/local/src/snort-2.6.1.2/etc/unicode.map 1252
These values tell HTTP Inspect where to find the unicode.map file and tells Snort to use the United States Unicode codemapp (1252) when decoding Unicode characters.
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length 500
This set of values establishes a default profile for all Web servers answering requests on ports 80, 8080 and 8180 TCP. The only other option tells Snort to generate alerts when a URL directory length exceeds 500 characters.
The RPC Decode preprocessor normalizes fragmented RPC into a single record. The default values watch for traffic involving the portmapper (port 111) and 32711, which is only one of many possible RPC server ports.
preprocessor rpc_decode: 111 32771
The final default preprocessor included in the stock snort.conf is the Back Orifice preprocessor, indicated by:
preprocessor bo
Since BO has not been a popular back door communications channel for many years, this preprocessor should be left out of your new configuration file.
In summary, the snort.conf file created thus far contains the following. (I edited the AIM_SERVERS variable to list only one netblock.)
var HOME_NET 192.168.2.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS [172.16.3.2,4.2.2.1]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23]
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global
iis_unicode_map /usr/local/src/snort-2.6.1.2/etc/unicode.map 1252
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
With these values, Snort can be run in IDS mode:
With this simple configuration Snort can actually detect some types of suspicious and malicious activity, without any rules being included.
Snort: Understanding the configuration file
Introduction: Upgrade to Snort 2.6.1.2
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
