Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort but no alert

From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it>
Date: Thu, 13 May 2004 17:08:42 +0200
The rule path is correct, Snort says 1991 rules when it starts up...

I think that is something about the net configuration, even if I dont know what could be :(

If I use snort like a sniffer, snort -dev -i eth1 Il see lot and lot and lot of traffics!  eth1 is the interface

WITHOUT IP address connected to the switch. eth0 is connected to the inside network

All the traffic from the others subnets is sent to the IDS by the switch...

Snort works well when it was connected locally, it stops to work when I connect the IDS to the switch,

but the sensor sees the traffica but report only the rules I've posted,

Matteo


Is the rules path correct? /etc/snort/rules/xxxxx.rules , It seems the
only rules processing are the one statically assigned in the .conf file.
I would cleanup/rework the conf file a bit.

In your snort startup script, are you listening on the correct
interface? Try doing this:

/path/to/snort -i eth1 (then your other switches , like path to config
file and such). What is the output?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
nyarlathothep () libero it
Sent: Wednesday, May 12, 2004 11:02 AM
To: snort-users
Subject: [Snort-users] Snort but no alert

Hello everyone,
I'm still here with my problem.
I've a snort debian box that listen on an interface (eth1, without ip
address)
on the external net while is connected on eth0 to the internal net,
interface
that I use to read the data that Snort puts in the database.
The problem that I dont receive rules alerts, except for ICMP
destination
unreaceable, but only preprocessor alert, even when I try to scan the
box with
Nessus or NMap.
I hope that someone could help me,

(ps I've attach my conf file, all the rules are sselected)

Thanks,

Matteo

SNORT.CONF

var HOME_NET 10.1.0.0/24
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile apache ports {
80 8080
8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771


preprocessor bo


                                          preprocessor telnet_decode







     preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20
talker-fixed-window 30 scoreboard-rows-talker 30000 server-watchnet
$HOME_NET
server-ignore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20
scanner-sliding-scale-factor
0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40
scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net
$HOME_NET
dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg
tcp-penalties on  








output database: alert, postgresql, user=postgres dbname=snort
host=localhost


include classification.config

                                                              include
reference.config





        

include $RULE_PATH/local.rules

                                                              include
$RULE_PATH/bad-traffic.rules

                                                      include
$RULE_PATH/exploit.rules
...



ALERT

[**] [1:485:2] ICMP Destination Unreachable (Communication
Administratively
Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212
ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
151.11.129.212:135 -> 172.133.197.74:2249
TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF
Seq: 0x0  Ack: 0x0
** END OF DUMP

[**] [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30
sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-15:49:09.988413

[**] [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2
sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-15:50:39.821253

[**] [121:4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30
sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-15:52:53.437042

[**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
05/12-15:53:38.001287 192.168.150.2:53239 -> 213.178.220.130:31337
UDP TTL:61 TOS:0x0 ID:22741 IpLen:20 DgmLen:46
Len: 18

[**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**]
05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.130:31337
UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46
Len: 18

[**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30
sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-16:07:01.105576

[**] [1:487:2] ICMP Destination Unreachable (Communication with
Destination
Network is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1
ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56
Type:3  Code:9  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED
NETWORK
FILTERED
** ORIGINAL DATAGRAM DUMP:
213.178.220.1:53 -> 69.50.179.2:60369
UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLen:199
Len: 171
** END OF DUMP

[**] [1:487:2] ICMP Destination Unreachable (Communication with
Destination
Network is Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1
ICMP TTL:62 TOS:0x0 ID:46666 IpLen:20 DgmLen:56
Type:3  Code:9  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED
NETWORK
FILTERED
** ORIGINAL DATAGRAM DUMP:
213.178.220.1:53 -> 69.50.179.14:46007
UDP TTL:61 TOS:0x0 ID:43292 IpLen:20 DgmLen:199
Len: 171
** END OF DUMP

[**] [121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30
sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
05/12-16:23:58.282652

[**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30
sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
05/12-16:28:50.508095






-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=dnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





-------------------------------
-------------------------------
------
Matteo Poropat
mailto:nyarlathothep@liber
o.it
http://www.genhome.org
http://books.dreambook.co
m/mefistofele74/genhome.
html
-------------------------------
-------------------------------
------



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: