Snort mailing list archives
Snort not seeing any alerts
From: Dan.McNulty () choicepoint net
Date: Fri, 25 Oct 2002 09:18:50 -0400
My apologies if this is double-posted. I posted it first the the newsgroup instead of the mailing-list, but it later occurred to me that might not work. The original message follows: ================================================================= I am running Snort on a box that is also running IPTables. The box has two interfaces, one public and one private. I am pointing Snort at the outside interface and directing attack.pl (an attack simulator from the Snort website) at the outside interface from yet another box elsewhere on the internet. I have tested that the simulator works against an already functioning snort box. I am not a complete newb with snort, but I am stymied. I have a feeling its something really stupid. If I run "snort -v -i eth0" I see all kinds of traffic stream by. tcpdump also confirms that the simulated attacks are reaching the box and that promisc mode works. Here is how I am starting snort: snort -d -i eth0 -l /var/log/snort -u snort -c /etc/snort/snort.junk and here is the config file, snort.junk: var HOME_NET [10.0.1.0/24] var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH /etc/snort/ var SHELLCODE_PORTS !80 var HTTP_PORTS 80 var ORACLE_PORTS 1521 preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log output alert_fast: /var/log/snort/snort.alert include classification.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules # include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules include $RULE_PATH/local.rules =================================================== And here is the output when I run snort: Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /etc/snort/snort.junk +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Using LOCAL time ProcessFileOption: /var/log/snort/snort.alert 1239 Snort rules read... 1239 Option Chains linked into 125 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.7 (Build 128) By Martin Roesch (roesch () sourcefire com, www.snort.org) ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not seeing any alerts Dan . McNulty (Oct 25)