Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rules not triggering

From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Fri, 13 Aug 2004 17:58:27 +0200
snort will not find anything interesting between you and your proxy (port 3128) 
you'd better move your sensor somewhere between you/your proxy and internet.
you also have to configure HOME_NET and EXTERNAL_NET, read the whole snort.conf, understand it (eventually, the doc may help) and finally, update this config file so that it matches your network needs.
you may eventually change the HTTP_PORTS to 3128, this way, most rules will trigger on traffic travelling between you and your proxy (on port 3128), not on port 80 (which requires the sensor to be moved between your proxy and internet)
anyway, in the end, you'll probably move your sensor 'near' your internet connection, after all, what are you interested in? your boss googling for nice pictures or internet threats? 

bofh wrote:


Basic install of snort from openbsd 3.5's port collection, snort 2.0.0.
Rules are the ones I downloaded today, Aug 12, 2004.
After installing it, I run it with the following comand line:

% snort -A fast -c /etc/snort.conf -I -D

/etc/snort.conf is default, with the following changes:

var RULE_PATH /etc/snort/rules
include $RULE_PATH/porn.rules

I then hop over to another machine on the same hub, and google
for "nude cheerleader".

Why is snort not catching any nude cheerleaders?

snort creates /var/log/snort/alert, but it stays empty.

It sees the traffic though, because, if I do a:

% snort -v host 192.168.11.134 and port 3128

I get a whole bunch of

08/12-17:22:39.394159 192.168.11.134:4510 -> 192.168.11.253:3128
TCP TTL:128 TOS:0x0 ID:23551 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF304593D  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/12-17:22:39.394238 192.168.11.253:3128 -> 192.168.11.134:4510
TCP TTL:64 TOS:0x0 ID:6284 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x25D4274  Ack: 0xF304593E  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/12-17:22:39.394410 192.168.11.134:4510 -> 192.168.11.253:3128
TCP TTL:128 TOS:0x0 ID:23552 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xF304593E  Ack: 0x25D4275  Win: 0xFFFF  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and when I Ctrl-C out of snort, I get:

Snort analyzed 545 out of 545 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
   TCP: 27         (4.954%)          ALERTS: 0
   UDP: 0          (0.000%)          LOGGED: 0
  ICMP: 0          (0.000%)          PASSED: 0
   ARP: 0          (0.000%)
 EAPOL: 0          (0.000%)
  IPv6: 0          (0.000%)
   IPX: 0          (0.000%)
 OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
   Management Packets: 0          (0.000%)
   Control Packets:    0          (0.000%)
   Data Packets:       0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Fragment Trackers: 0
  Rebuilt IP Packets: 0
  Frag elements used: 0
Discarded(incomplete): 0
  Discarded(timeout): 0
 Frag2 memory faults: 0
===============================================================================
TCP Stream Reassembly Stats:
       TCP Packets Used: 0          (0.000%)
        Stream Trackers: 0
         Stream flushes: 0
          Segments used: 0
  Stream4 Memory Faults: 0
===============================================================================
Snort exiting

Thanx.


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: