Snort mailing list archives
RE: Snort but no alert
From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it>
Date: Thu, 13 May 2004 17:08:42 +0200
The rule path is correct, Snort says 1991 rules when it starts up... I think that is something about the net configuration, even if I dont know what could be :( If I use snort like a sniffer, snort -dev -i eth1 Il see lot and lot and lot of traffics! eth1 is the interface WITHOUT IP address connected to the switch. eth0 is connected to the inside network All the traffic from the others subnets is sent to the IDS by the switch... Snort works well when it was connected locally, it stops to work when I connect the IDS to the switch, but the sensor sees the traffica but report only the rules I've posted, Matteo
Is the rules path correct? /etc/snort/rules/xxxxx.rules , It seems the only rules processing are the one statically assigned in the .conf file. I would cleanup/rework the conf file a bit. In your snort startup script, are you listening on the correct interface? Try doing this: /path/to/snort -i eth1 (then your other switches , like path to config file and such). What is the output? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of nyarlathothep () libero it Sent: Wednesday, May 12, 2004 11:02 AM To: snort-users Subject: [Snort-users] Snort but no alert Hello everyone, I'm still here with my problem. I've a snort debian box that listen on an interface (eth1, without ip address) on the external net while is connected on eth0 to the internal net, interface that I use to read the data that Snort puts in the database. The problem that I dont receive rules alerts, except for ICMP destination unreaceable, but only preprocessor alert, even when I try to scan the box with Nessus or NMap. I hope that someone could help me, (ps I've attach my conf file, all the rules are sselected) Thanks, Matteo SNORT.CONF var HOME_NET 10.1.0.0/24 var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24, 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile apache ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor flow-portscan: talker-sliding-scale-factor 0.50 talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker 30000 server-watchnet $HOME_NET server-ignore-limit 200 server-rows 65535 server-learning-time 14400 server-scanner-limit 4 scanner-sliding-window 20 scanner-sliding-scale-factor 0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40 scanner-fixed-window 15 scoreboard-rows-scanner 30000 src-ignore-net $HOME_NET dst-ignore-net [10.0.0.0/30] alert-mode once output-mode msg tcp-penalties on output database: alert, postgresql, user=postgres dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules ... ALERT [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.212 ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 151.11.129.212:135 -> 172.133.197.74:2249 TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF Seq: 0x0 Ack: 0x0 ** END OF DUMP [**] [121:4:1] Portscan detected from 200.191.164.142 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:49:09.988413 [**] [121:4:1] Portscan detected from 192.168.150.2 Talker(fixed: 2 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:50:39.821253 [**] [121:4:1] Portscan detected from 66.185.41.191 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-15:52:53.437042 [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**] 05/12-15:53:38.001287 192.168.150.2:53239 -> 213.178.220.130:31337 UDP TTL:61 TOS:0x0 ID:22741 IpLen:20 DgmLen:46 Len: 18 [**] [105:1:1] (spo_bo) Back Orifice Traffic detected [**] 05/12-15:53:40.994216 192.168.150.2:53239 -> 213.178.220.130:31337 UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46 Len: 18 [**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:07:01.105576 [**] [1:487:2] ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-16:07:27.486375 147.123.1.42 -> 213.178.220.1 ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL DATAGRAM DUMP: 213.178.220.1:53 -> 69.50.179.2:60369 UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [1:487:2] ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1 ICMP TTL:62 TOS:0x0 ID:46666 IpLen:20 DgmLen:56 Type:3 Code:9 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED NETWORK FILTERED ** ORIGINAL DATAGRAM DUMP: 213.178.220.1:53 -> 69.50.179.14:46007 UDP TTL:61 TOS:0x0 ID:43292 IpLen:20 DgmLen:199 Len: 171 ** END OF DUMP [**] [121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:23:58.282652 [**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30 sliding: 30) Scanner(fixed: 0 sliding: 0) [**] 05/12-16:28:50.508095 ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=dnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------- ------------------------------- ------ Matteo Poropat mailto:nyarlathothep@liber o.it http://www.genhome.org http://books.dreambook.co m/mefistofele74/genhome. html ------------------------------- ------------------------------- ------ ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort but no alert nyarlathothep () libero it (May 12)
- RE: Snort but no alert Michael Steele (May 12)
- <Possible follow-ups>
- RE: Snort but no alert Nick Duda (May 12)
- RE: Snort but no alert nyarlathothep () libero it (May 13)
- RE: Snort but no alert nyarlathothep () libero it (May 17)