Snort mailing list archives
I don't see no porn
From: bofh <goodb0fh () gmail com>
Date: Thu, 12 Aug 2004 17:24:59 -0500
Hi, Basic install of snort from openbsd 3.5's port collection, snort 2.0.0. Rules are the ones I downloaded today, Aug 12, 2004. After installing it, I run it with the following comand line: % snort -A fast -c /etc/snort.conf -I -D /etc/snort.conf is default, with the following changes: var RULE_PATH /etc/snort/rules include /etc/snort/classification.config include /etc/snort/reference.config include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/porn.rules include $RULE_PATH/virus.rules I then hop over to another machine on the same hub, and google for "nude cheerleader". Why is snort not catching any nude cheerleaders? snort creates /var/log/snort/alert, but it stays empty. It sees the traffic though, because, if I do a: % snort -v host 192.168.11.134 and port 3128 I get a whole bunch of 08/12-17:22:39.394159 192.168.11.134:4510 -> 192.168.11.253:3128 TCP TTL:128 TOS:0x0 ID:23551 IpLen:20 DgmLen:48 DF ******S* Seq: 0xF304593D Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/12-17:22:39.394238 192.168.11.253:3128 -> 192.168.11.134:4510 TCP TTL:64 TOS:0x0 ID:6284 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x25D4274 Ack: 0xF304593E Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/12-17:22:39.394410 192.168.11.134:4510 -> 192.168.11.253:3128 TCP TTL:128 TOS:0x0 ID:23552 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xF304593E Ack: 0x25D4275 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ and when I Ctrl-C out of snort, I get: Snort analyzed 545 out of 545 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 27 (4.954%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== Snort exiting Thanx. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I don't see no porn bofh (Aug 12)
- rules not triggering bofh (Aug 13)
- Re: rules not triggering stephane nasdrovisky (Aug 13)
- rules not triggering bofh (Aug 13)