Snort mailing list archives
Re: Snort only alert about traffic with an specific IP
From: "Berta Alcala" <berta83 () gmail com>
Date: Mon, 2 Jun 2008 09:37:40 +0200
Hi Rmkml, I don't remember where I downloaded snort for Windows, I supposed it was from www.snort.org I will install latest version and I will try it. 2008/5/30 rmkml <rmkml () free fr>:
thx Berta, where you have downloaded snort over windows please ? it is possible download latest snort v2.8.2 and test with default snort.cfg ? (snort v2.8.x.y use stream5, v2.7.x.y use stream4) Regards Rmkml On Fri, 30 May 2008, Berta Alcala wrote: Date: Fri, 30 May 2008 12:52:22 +0200From: Berta Alcala <berta83 () gmail com> To: rmkml <rmkml () free fr> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort only alert about traffic with an specific IP Hi Rmkml, I've received some emails from you. In one of them you say that I can try with "-k none" option to disable checksum. I have installed snort as a windows service with this command: snort /SERVICE /INSTALL -dev -c c:\snort\etc\snort.conf -l c:\snort\log -i2 -k none But everything is the same. In other email you say that I have enabled stream5 in snort.conf, it's true, but I don't know if it is compiled in the snort binary (and I don't know I can do it). I sent you and email with the output you asked me (salida.log). I haven't received anything else. Thanks 2008/5/30 rmkml <rmkml () free fr>: Hi Berta, Im answered your questions, do you have received my email ? Regards Rmkml On Fri, 30 May 2008, Berta Alcala wrote: Date: Fri, 30 May 2008 10:12:39 +0200 From: Berta Alcala <berta83 () gmail com> To: Jason Brvenik <jasonb () sourcefire com> Cc: snort <snort-users () lists sourceforge net>, Paul Schmehl <pschmehl_lists_nada () tx rr com> Subject: Re: [Snort-users] Snort only alert about traffic with an specific IP Thank you very much for your help. I can not access to the switch I'm connected to, so I don't know how it is configurated. I will try to get access to the switch. I'm doing a degree essay at the University and the most important thing for me is to know why something doesn't work, if the problem is the switch that is enought for me. But what I really need to know is why some rules work and why others don't. If you use this rule, does it work for you? why not for me?? alert tcp $HOME_NET any -> any 1863 (msg:"CHAT MSN logout"; flags:PA+; content:"OUT"; classtype:policy-violation; sid:1000009; rev:1;) I have no problem with a rule to alert about MSN login, that is similar but with content LoginTime" instead of "OUT" Or this other one form info.rules ("INFO FTP no password", with sid:489, works for me): alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) There are many rules that don't work. I suppose the problem has to be in snort.conf file. 2008/5/29 Jason Brvenik <jasonb () sourcefire com>: Are you monitoring a span or mirror port? Berta Alcala wrote: Hi, I tried with this rule (only this rule, the rest were commented in snort.conf): alert tcp any any -> any any (msg:"TCP traffic";sid:1000011; rev:1;) The only alerts registered are those which have my IP (source or destination). Using Ethereal I only see traffic with my IP as source, or destination, or broadcast traffic. I can not see a ping command between two others PCs with Ethereal, neither with Snort (I attach a pcap file) I have this information in snort.conf: var HOME_NET 172.18.64.0/19 <http://172.18.64.0/19> var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET Snort is installed as a Windows service with this command line: snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log -i2 I use Windows XP+Snort 2.7+Base Jason, How can I disable checksum? 2008/5/27 Paul Schmehl <pschmehl_lists () tx rr com <mailto: pschmehl_lists () tx rr com>>: Thousands of security professionals worldwide are using snort successfully. So, you can start with the safe assumption that the problem isn't snort. Whether or not snort alerts on traffic is entirely dependent upon two things: 1) Traffic is passing the interface that snort is listening on 2) You have snort properly configured to see that traffic. If you've convinced yourself, using Ethereal, that traffic *is* being seen on that interface, then that narrows the problem down to your configuration of snort. What have you defined $HOME_NET as? What have you defined $EXTERNAL_NET as? What rules have you enabled in snort.conf? What's your startup options for snort (what interface, where do you log, etc.)? To quickly see if snort is working at all, write a rule that looks for everything: alert ip any any -> any any (msg:"Testing for detection capability"; sid:1000001; rev:1;) Don't even bother editing sid-msg.map. All you care about is seeing that alerts are being generated. Depending upon your traffic, this could generate a ton of alerts in short order, so be prepared to shut down snort before you get overwhelmed. What are you using to view the alerts? -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer. ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort only alert about traffic with an specific IP Berta Alcala (May 26)
- Re: Snort only alert about traffic with an specific IP Michael Boman (May 26)
- Re: Snort only alert about traffic with an specific IP Leon Ward (May 26)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 27)
- Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 27)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 29)
- Re: Snort only alert about traffic with an specific IP Leon Ward (May 29)
- Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 29)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (Jun 02)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 27)