Snort mailing list archives
RE: [Snort 2.2.0] Rules won't trigger
From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 20 Jan 2005 10:28:05 -0600
If you are not queing the packets then snort will alert on the first signature that matches (if I remember correctly), therefore only one of these signatures will be logged. You need to use: config event_queue: max_queue x log y order_events priority Where x is replaced with a number you feel comfortable with queing, and y is the number of signatures to alert on in order of priority (I think). -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Edin Dizdarevic Sent: Thursday, January 20, 2005 4:41 AM To: snort-users () lists sourceforge net Subject: [Snort-users] [Snort 2.2.0] Rules won't trigger Hithere! I have a problem I cannot find the error in my config. However, rules won't trigger for some reason. Would somebody please be so kind to take a look and open my eyes. Thx in advance. Snort is 2.2.0 started for the test like this: snort -c snort.conf_eth1 -i eth1 -A console -N I have these rules: alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";) Then I try to login as MySQWL-root from another machine: $ mysql -h 172.16.0.254 -u root -p -> 01/20/05-11:33:39.774072 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.774190 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.774707 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.774980 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 01/20/05-11:33:39.775335 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306 Can anybody please explain this to me? Thx & regards, Edin The config file: var HOME_NET [172.16.0.254/32,10.0.0.0/24] var EXTERNAL_NET !$HOME_NET var HTTP_SERVERS [172.16.0.254/32,10.0.0.0/24] var SQL_SERVERS [172.16.0.254/32] var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var RULE_PATH ./snortrules preprocessor frag2: timeout 60, memcap 8388608 preprocessor stream4: disable_evasion_alerts, timeout 120, memcap 33554432 preprocessor stream4_reassemble: both, ports 22 25 53 80 3306 preprocessor flow: stats_interval 0 hash 2 output log_unified: filename unified.log, limit 512 output alert_unified: filename unified.alert, limit 512 config set_gid: snort config interface: eth1 config alert_with_interface_name config disable_decode_alerts config logdir: /var/log/snort config umask: 027 config set_uid: snort config show_year config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config detection: search-method lowmem config threshold: memcap 8388608 config checksum_mode: none include classification.config include reference.config include $RULE_PATH/local.rules local.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";) alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) Full log: [root@victim snort]# snort -c snort.conf_eth1 -i eth1 -A console -N Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth1 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file snort.conf_eth1 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... [*] Frag2 config: Fragment timeout: 60 seconds Fragment memory cap: 8388608 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 State Protection: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 120 seconds Session memory cap: 33554432 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 22 25 53 80 3306 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- command line overrides rules file logging plugin! command line overrides rules file alert plugin! Initializing Network Interface eth1 Found logdir config directive (/var/log/snort) Detection: Search-Method = Low-Mem Trie 2 Snort rules read... 2 Option Chains linked into 2 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]--------------------------- ------- | memory-cap : 8388608 bytes +-----------------------[thresholding-global]--------------------------- ------- | none +-----------------------[thresholding-local]---------------------------- ------- | none +-----------------------[suppression]----------------------------------- ------- | none ------------------------------------------------------------------------ ------- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.2.0 (Build 30) By Martin Roesch (roesch () sourcefire com, www.snort.org) 01/20/05-11:40:24.597428 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.597536 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.598304 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.598622 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 01/20/05-11:40:24.599022 [**] [1:0:0] <eth1> GOT IT! [**] [Priority: 0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306 -- Edin Dizdarevic ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Alex Kirk (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 31)
- <Possible follow-ups>
- RE: [Snort 2.2.0] Rules won't trigger Joshua Berry (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Alex Kirk (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 20)