Snort configuration -- Non-dynamic preprocessors

Traditionally Snort has relied on preprocessors that are compiled into Snort. Three preprocessors enabled in the stock snort.conf include HTTP Inspect, RPC Decode and BO (Back Orifice). The HTTP Inspect preprocessor is a generic HTTP decoder that examines HTTP requests and replies.

preprocessor http_inspect: global
  iis_unicode_map /usr/local/src/snort-2.6.1.2/etc/unicode.map 1252

These values tell HTTP Inspect where to find the unicode.map file and tells Snort to use the United States Unicode codemapp (1252) when decoding Unicode characters.

preprocessor http_inspect_server: server default
  profile all ports { 80 8080 8180 } oversize_dir_length 500

This set of values establishes a default profile for all Web servers answering requests on ports 80, 8080 and 8180 TCP. The only other option tells Snort to generate alerts when a URL directory length exceeds 500 characters.

The RPC Decode preprocessor normalizes fragmented RPC into a single record. The default values watch for traffic involving the portmapper (port 111) and 32711, which is only one of many possible RPC server ports.

preprocessor rpc_decode: 111 32771

The final default preprocessor included in the stock snort.conf is the Back Orifice preprocessor, indicated by:

preprocessor bo

Since BO has not been a popular back door communications channel for many years, this preprocessor should be left out of your new configuration file.

In summary, the snort.conf file created thus far contains the following. (I edited the AIM_SERVERS variable to list only one netblock.)

var HOME_NET 192.168.2.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS [172.16.3.2,4.2.2.1]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

var AIM_SERVERS [64.12.24.0/23]

preprocessor flow: stats_interval 0 hash 2

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble

preprocessor http_inspect: global
  iis_unicode_map /usr/local/src/snort-2.6.1.2/etc/unicode.map 1252

preprocessor http_inspect_server: server default
  profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

With these values, Snort can be run in IDS mode:

With this simple configuration Snort can actually detect some types of suspicious and malicious activity, without any rules being included.

Snort: Understanding the configuration file

  Introduction: Upgrade to Snort 2.6.1.2
  The snort.conf file
  Defining IP ranges of interest
  Defining ports of interest
  Core preprocessors
 Non-dynamic preprocessors
  Conclusion

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.