![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: rules not triggering
From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Fri, 13 Aug 2004 17:58:27 +0200
snort will not find anything interesting between you and your proxy (port 3128)
you'd better move your sensor somewhere between you/your proxy and internet.you also have to configure HOME_NET and EXTERNAL_NET, read the whole snort.conf, understand it (eventually, the doc may help) and finally, update this config file so that it matches your network needs.
you may eventually change the HTTP_PORTS to 3128, this way, most rules will trigger on traffic travelling between you and your proxy (on port 3128), not on port 80 (which requires the sensor to be moved between your proxy and internet)
anyway, in the end, you'll probably move your sensor 'near' your internet connection, after all, what are you interested in? your boss googling for nice pictures or internet threats?
bofh wrote:
Basic install of snort from openbsd 3.5's port collection, snort 2.0.0. Rules are the ones I downloaded today, Aug 12, 2004. After installing it, I run it with the following comand line: % snort -A fast -c /etc/snort.conf -I -D /etc/snort.conf is default, with the following changes: var RULE_PATH /etc/snort/rules include $RULE_PATH/porn.rules I then hop over to another machine on the same hub, and google for "nude cheerleader". Why is snort not catching any nude cheerleaders? snort creates /var/log/snort/alert, but it stays empty. It sees the traffic though, because, if I do a: % snort -v host 192.168.11.134 and port 3128 I get a whole bunch of 08/12-17:22:39.394159 192.168.11.134:4510 -> 192.168.11.253:3128 TCP TTL:128 TOS:0x0 ID:23551 IpLen:20 DgmLen:48 DF ******S* Seq: 0xF304593D Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/12-17:22:39.394238 192.168.11.253:3128 -> 192.168.11.134:4510 TCP TTL:64 TOS:0x0 ID:6284 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x25D4274 Ack: 0xF304593E Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/12-17:22:39.394410 192.168.11.134:4510 -> 192.168.11.253:3128 TCP TTL:128 TOS:0x0 ID:23552 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xF304593E Ack: 0x25D4275 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ and when I Ctrl-C out of snort, I get: Snort analyzed 545 out of 545 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 27 (4.954%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== Snort exiting Thanx. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I don't see no porn bofh (Aug 12)
- rules not triggering bofh (Aug 13)
- Re: rules not triggering stephane nasdrovisky (Aug 13)
- rules not triggering bofh (Aug 13)