Snort mailing list archives
FW: (reality check)Solved(i think):OpenBSD 3.4 snort--X-->mysql alerts now being generated
From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Fri, 23 Apr 2004 19:06:56 -0400
Sent: Friday, April 23, 2004 19:04 Subject: re:(reality check)Solved(i think):OpenBSD 3.4 snort--X-->mysql alerts now being generated Question: Why are there no alerts being generated? Answer I think: Looking at my previous post: breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 9 (3.409%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 255 (96.591%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) I noticed a lot of ARPs and a little UDP(netbois I am guessing since the laptop is runing Win2k). I realized that the reason I was not receiving any alerts was that the only system on this test network with an ip address is the laptop(with no gateway configured)running nmap. The bridge interface does not have an ip address. Consequently, when I connected the cross connected cable to an interface with an ip address and ran nmap against the ip address associated with this interface, alerts were sent to the snort database and acid displayed the alerts. In the case where the laptop was connected to an interface with no IP address,since there is no valid (i.e.00-00-00-00-00-00) response to the ARP request for a host(s) on the network, the laptop(running nmap) can not send malicious packet(s) to any system on the network because it has no MAC address for the system being attacked. Running a scan from the laptop connected to the bridge and checking the arp cache on the laptop revealed there were no valid entries in the arp cache. Question:I assume in order for snort to detect alerts from NMAP there must be at least two systems with ip addresses on the network or the vulnerablity scanner must have a static MAC address in its arp cache in order to send packets to the snort box on the network? Question: if I were to put a static MAC address in the arp cache for the a host that nmap will scan against, would I see alerts from the bridge interface with no ip address? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort-users-request () lists sourceforge net S Message: 5 Date: Thu, 22 Apr 2004 12:33:17 -0400 From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil> To: <snort-users () lists sourceforge net> Subject: [Snort-users] OpenBSD 3.4 snort--X-->mysql not working and I don't see any errors on startup Question: Why are no alerts being generated? (I appologize in advance for long message.) References: (1)http://openbsddiary.org/index.php?page=3Dsnort#ConfigMySQL (not used) (2) = http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html#faq_b1= (3) http://archives.neohapsis.com/archives/snort/2000-06/0181.html = (used) Lab equipment: 1. Windows laptop w/NMAP 2. OpenBSD 3.4 on intel w/snort, mysql,acid(and associated software to = make acid run) 3. One cross connected twisted pair cable between 1.(laptop) and 2.(one = port:ethernet1 on OpenBSD Bridge ) Procedure: 1. (OpenBSD)configure bridging on OpenBSD to monitor two(2) networks = running one instance of=20 snort. 2. start snort in sniffer mode: /usr/local/bin/snort -dev -i bridge0 [block nonip, block outbound traffic to lans connected to bridge,allow = ip traffic in] 3. (laptop)start nmap up run syn scan. Results:snort dumps traffic to screen. 4. start snort: /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -D > /dev/null = & echo -n ' snort' 5. (laptop)start nmap up run syn scan. Results: database does not grow in size and alerts file is empty. 6.kill snort and run from the command line. /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N [See: Script started on Wed Apr 21 18:24:42 2004 for screen dump] Results: database does not grow in size and alerts file is empty. Notice alot of arps. Probably because laptop is the only system on this net with an ip address. Question: Why are no alerts being generated? Data: Script started on Wed Apr 21 18:24:42 2004 machine1# /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N Running in IDS mode Log directory =3D /var/log/snort Initializing Network Interface bridge0 OpenPcap() device bridge0 network lookup: bridge0: no IPv4 address assigned --Initializing Snort -- Rule application order changed to Pass->Alert->Log Initializing Output Plugins! Decoding Ethernet on interface bridge0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf Rule application order: ->pass->activation->dynamic->alert->log -- Initialization Complete -- -*> Snort! <*- Version 2.1.2 (Build 25) By Martin Roesch (roesch () sourcefire com, www.snort.org) ^C Snort analyzed 264 out of 264 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 9 (3.409%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 255 (96.591%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ..... ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.159130)/blocks (16686/3) = Overhead blocks: 1 Could Hold: (73326) IPV4 count: 2 frees: 0 low_time: 1082587587, high_time: 1082587588, = diff: 0h:00:01s finds: 9 reversed: 0(%0.000000)=20 find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: = 2 Protocol: 17 (%100.000000) finds: 9 reversed: 0(%0.000000)=20 find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: 2 database: Closing connection to database "" Snort exiting machine1# exit ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FW: (reality check)Solved(i think):OpenBSD 3.4 snort--X-->mysql alerts now being generated Jacob, Raymond A Jr (Apr 23)