Snort mailing list archives
real basic starter rules
From: Harry Putnam <reader () newsguy com>
Date: Wed, 24 Apr 2002 18:53:39 -0700
I'm having a rough time getting started with snort. Just installed the latest 8.6 from source. Had no problems with build. But now reading the Users Manual and trying to put together just some simple stuff to see what things do what. Maybe some examples I've taken direct from the Manual but edited in various ways will be the quickest way for any prospective poster to see what I'm screwing up. I always seem to have more than my share of trouble learning new apps so I've come to believe its a builtin operator problem on my end so please bear with me as I pose possibly old worn out questions. After running some of the command lines from the first section of manual I decided to push on to the next section about using the snort.conf file. A few of the things I tried after reading some of it seemed not to do what I understood they should: 1) The bidirectional example caught my attention. log !192.168.1.0/24 any <> 192.168.1.0/24 23 Only I couldn't see why the NOT (!) operator was in there. The discussion indicates it is supposed to capture both sides of the conversation. Editing a little, I set the numbers to reflect my setup and changed the port number to 21 (ftp) So with cat /usr/local/etc/snort.conf log !192.168.0.0/24 any <> 192.168.0.0/24 21 And having created the following directory: /var/log/snort/tests. ls -ld /var/log/snort/tests drwxr-xr-x 2 root root 4096 Apr 24 17:15 /var/log/snort/tests Using this command line: snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf I get these results: root # snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf Log directory = /var/log/snort/tests Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR /usr/local/etc/snort.conf (1): Bad rule in rules file Fatal Error, Quitting.. Fails completely. After trying quite a few edited versions with no better success, I moved on to some other experiments I thought maybe being more specific would let me see what I'm doing wrong: cat /usr/local/etc/snort.conf log tcp any any -> 128.111.24.43 21 command line snort -dev -l /var/log/snort/tests -c /usr/local/etc/snort.conf This time I see the traffic when I run and ftp session in another xterm. But also pinging the address shows the traffic to. But it doesn't get logged so I guess I'm supposed to see any traffic but only log the stuff on port 21. And sure enough, I get a log file with a directory named with my local address is: ls ./192.168.0.5/TCP:3336-21 Showing the traffic. But I can't tell if I'm getting both sides. I think not. Now I'm getting closer at least but I really wan't to narrow it down to a single machine on the network trying: log tcp 192.168.0.6 any -> 128.111.24.43 21 Fire up an ftp session from 192.168.0.6 to 128.111.24.43 I don't see any of this traffic. I do see all kinds of other guff going by but not that ftp session. What is my error above. How can I track an ftp session from machine 192.168.0.6 to 128.111.24.43 21 or any other client/server pair? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- real basic starter rules Harry Putnam (Apr 24)
- Re: real basic starter rules Phil Wood (Apr 25)
- Re: real basic starter rules Harry Putnam (Apr 25)
- Re: real basic starter rules Harry Putnam (Apr 26)
- Re: real basic starter rules Rich Adamson (Apr 27)
- Re: real basic starter rules Harry Putnam (Apr 27)
- Re: real basic starter rules Harry Putnam (Apr 25)
- Re: real basic starter rules Phil Wood (Apr 25)