Intruder Help File

Stream4 preprocessor reassembles a number of packets to interpret the payload. If we assume for a moment that the string "open sesame" will activate a trap door letting in an attacker, we would write a rule that detects "open sesame" as a string. If the attacker then breaks the string up into smaller packets, say "o," "p," "e," "n," etc., the string wouldn't match. However, when the smaller packets were reassembled by the target machine, the string would still exist. When enabled, this preprocessor detects when a source host other than the one in the HOME_NET variable starts more that four port connections within three seconds. When that happens, two events are written in the Intruder alert file.
No inspect: This turns off stream reassembly for all ports except those explicitly specified.
keep stats: This option keeps statistics on each session that stream4 deals with. These statistics are written out to a file either in machine format, which is plain text, or binary, which is the standard Snort unified output.
detect scan: This option sets stream4 to detect port scans that are not using the standard TCP handshake as the scan method.
detect stat: This option sets stream4 to detect problems with the way the TCP stream is keeping state. This could indicate a number of hijacking attacks.
Timeout: Timeout for keeping a stream in active state (default: 30 seconds)
memcap: Maximum amount of memory used by the module (default: 8 MB)
client only: Reassembles client side stream data packets.
server only: Reassembles server side stream data packets.
both: Reassembles server side stream and client side stream data packets.
no alerts: Don’t alert for insertion or evasion type attacks.
ports: List of ports for which streams will be assembled. The port numbers should be separated by a space character. The keyword "all" will enable reassembly on port numbers 21 (FTP), 23 (Telnet), 25 (SMTP), 53 (DNS), 80 (HTTP), 110 (POP3), 111, 143, and 513. The port feature is very useful if you want to enable reassembly for only a few services. It saves CPU time.

frag2: you can configure timeout and memory limits for packet defragmentation. By default, the preprocessor uses 4 MB of memory and a 60-second timeout period. If a packet assembly is not successful within this time period, previously collected fragments are discarded. The following command enables the preprocessor with default values.
On high-speed networks, you should use large amounts of memory since a large number of data packets may be fragmented.

Port scanning is a process of finding out which ports are open on a particular host or all hosts on a network. The first step in any intruder activity is usually to find out what services are running on a network. Once an intruder has found this information, attacks for known vulnerabilities for these services are tried. The ports can preprocessor is designed to detect port scanning activities. The preprocessor can be used to log the port scanning activities to a particular location in addition to standard logging. Hackers can use multiple port scanning methods. Refer to man pages or documentation of the nmap utility (http://www.nmap.org/) to learn more about port scanning methods.
IP Address: The address range of IP addresses to monitor is a single IP address or a network address. The range is specified using the CIDR block.
number of ports accessed within a certain time period can be specified. For example, a number 5 means that if five ports are scanned within the time period specified, an alert is generated. time period is the number of seconds that defines the time period used for threshold.
ignore hosts, which can be used to ignore some hosts if any port scanning activity is detected from them. use 32 in the CIDR block number to specify a single host. ie: 192.168.100.23/32

arpspoof protocol is used by many people for various attacks, sniffing and spoofing. The arpspoof preprocessor detects anomalies in ARP packets. Specifically it does the following:

• For all ARP requests, if source MAC address and sender’s MAC address are different, an alert is generated. If the source MAC address in the packet does not match the MAC address associated with source IP address, then an alert is generated.
• For ARP replies, source MAC address is compared to sender’s MAC address. Similarly, destination MAC address is compared to receiver’s MAC address. An alert is generated if these entries mismatch.
• For unicast ARP requests, if destination MAC address is not the broadcast address (FF:FF:FF:FF:FF:FF), an alert is generated. To check this anomaly, you need to place a line in snort.conf file as "preprocessor
• You can pre-populate MAC Address/IP Address pairs in Snort internal cache. The preprocessor will compare these pre-populated entries with information in the received ARP packets. In case of mismatch, an alert will be generated. For example, if the MAC address for a particular IP address in ARP replies does not match the pre-populated pair, an alert is generated.

rpc decode keyword is used to detect RPC based requests.
bo: watch for back orifice.
telnet decode preprocessor allows Intruder to normalize telnet control protocol characters from the session, it accepts a list of ports to run on as arguments. It normalizes into a separate data buyer from the packet itself so that the raw data may be logged or examined with the raw bytes content, it defaults to running on ports 21, 23, 25, and 119.
Flow is needed for Netbois