Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [Snort 2.2.0] Rules won't trigger

From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 20 Jan 2005 10:28:05 -0600
If you are not queing the packets then snort will alert on the first
signature that matches (if I remember correctly), therefore only one of
these signatures will be logged.  You need to use:

config event_queue: max_queue x log y order_events priority

Where x is replaced with a number you feel comfortable with queing, and
y is the number of signatures to alert on in order of priority (I
think).

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Edin
Dizdarevic
Sent: Thursday, January 20, 2005 4:41 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] [Snort 2.2.0] Rules won't trigger

Hithere!

I have a problem I cannot find the error in my config. However, rules 
won't trigger for some reason. Would somebody please be so kind to take 
a look and open my eyes. Thx in advance.

Snort is 2.2.0 started for the test like this:

snort -c snort.conf_eth1 -i eth1 -A console -N

I have these rules:

alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login 
attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 
80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)

Then I try to login as MySQWL-root from another machine:

$ mysql -h 172.16.0.254 -u root -p

->

01/20/05-11:33:39.774072  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.774190  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.774707  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.774980  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
01/20/05-11:33:39.775335  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306

Can anybody please explain this to me?

Thx & regards,
Edin

The config file:

var HOME_NET [172.16.0.254/32,10.0.0.0/24]

var EXTERNAL_NET !$HOME_NET

var HTTP_SERVERS [172.16.0.254/32,10.0.0.0/24]
var SQL_SERVERS [172.16.0.254/32]
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var RULE_PATH ./snortrules
preprocessor frag2: timeout 60, memcap 8388608
preprocessor stream4: disable_evasion_alerts, timeout 120, memcap
33554432
preprocessor stream4_reassemble: both, ports 22 25 53 80 3306
preprocessor flow: stats_interval 0 hash 2
output log_unified: filename unified.log, limit 512
output alert_unified: filename unified.alert, limit 512
config set_gid: snort
config interface: eth1
config alert_with_interface_name
config disable_decode_alerts
config logdir: /var/log/snort
config umask: 027
config set_uid: snort
config show_year
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
config threshold: memcap 8388608
config checksum_mode: none
include classification.config
include reference.config
include $RULE_PATH/local.rules

local.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)
alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login 
attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 
80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

Full log:

[root@victim snort]# snort -c snort.conf_eth1 -i eth1 -A console -N
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth1

         --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf_eth1

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
[*] Frag2 config:
     Fragment timeout: 60 seconds
     Fragment memory cap: 8388608 bytes
     Fragment min_ttl:   0
     Fragment ttl_limit: 5
     Fragment Problems: 0
     State Protection: 0
     Self preservation threshold: 500
     Self preservation period: 90
     Suspend threshold: 1000
     Suspend period: 30
Stream4 config:
     Stateful inspection: ACTIVE
     Session statistics: INACTIVE
     Session timeout: 120 seconds
     Session memory cap: 33554432 bytes
     State alerts: INACTIVE
     Evasion alerts: INACTIVE
     Scan alerts: INACTIVE
     Log Flushed Streams: INACTIVE
     MinTTL: 1
     TTL Limit: 5
     Async Link: 0
     State Protection: 0
     Self preservation threshold: 50
     Self preservation period: 90
     Suspend threshold: 200
     Suspend period: 30
Stream4_reassemble config:
     Server reassembly: ACTIVE
     Client reassembly: ACTIVE
     Reassembler alerts: ACTIVE
     Zero out flushed packets: INACTIVE
     flush_data_diff_size: 500
     Ports: 22 25 53 80 3306
     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
command line overrides rules file logging plugin!
command line overrides rules file alert plugin!

Initializing Network Interface eth1
Found logdir config directive (/var/log/snort)
Detection:
    Search-Method = Low-Mem Trie
2 Snort rules read...
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]---------------------------
-------
| memory-cap : 8388608 bytes
+-----------------------[thresholding-global]---------------------------
-------
| none
+-----------------------[thresholding-local]----------------------------
-------
| none
+-----------------------[suppression]-----------------------------------
-------
| none
------------------------------------------------------------------------
-------
Rule application order: ->activation->dynamic->alert->pass->log

         --== Initialization Complete ==--

-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
01/20/05-11:40:24.597428  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.597536  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.598304  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.598622  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306
01/20/05-11:40:24.599022  [**] [1:0:0]  <eth1> GOT IT! [**] [Priority: 
0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306


-- 
Edin Dizdarevic


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: