Snort mailing list archives

Re: Snort only alert about traffic with an specific IP

From: "Berta Alcala" <berta83 () gmail com>
Date: Mon, 2 Jun 2008 09:37:40 +0200

Hi Rmkml,

I don't remember where I downloaded snort for Windows, I supposed it was
from www.snort.org
I will install latest version and I will try it.

2008/5/30 rmkml <rmkml () free fr>:

thx Berta,
where you have downloaded snort over windows please ?
it is possible download latest snort v2.8.2 and test with default snort.cfg
?
(snort v2.8.x.y use stream5, v2.7.x.y use stream4)
Regards
Rmkml

On Fri, 30 May 2008, Berta Alcala wrote:

 Date: Fri, 30 May 2008 12:52:22 +0200

From: Berta Alcala <berta83 () gmail com>
To: rmkml <rmkml () free fr>
Cc: snort-users () lists sourceforge net

Subject: Re: [Snort-users] Snort only alert about traffic with an specific
IP

Hi Rmkml,

I've received some emails from you. In one of them you say that I can try
with "-k none" option to disable checksum. I have installed snort as a
windows
service with this command:

snort /SERVICE /INSTALL -dev -c c:\snort\etc\snort.conf -l c:\snort\log
-i2 -k none

But everything is the same.

In other email you say that I have enabled stream5 in snort.conf, it's
true, but I don't know if it is compiled in the snort binary (and I don't
know I can do
it).

I sent you and email with the output you asked me (salida.log).
I haven't received anything else.

Thanks

2008/5/30 rmkml <rmkml () free fr>:
     Hi Berta,
     Im answered your questions, do you have received my email ?
     Regards
     Rmkml

     On Fri, 30 May 2008, Berta Alcala wrote:

     Date: Fri, 30 May 2008 10:12:39 +0200
From: Berta Alcala <berta83 () gmail com>
To: Jason Brvenik <jasonb () sourcefire com>
Cc: snort <snort-users () lists sourceforge net>,
   Paul Schmehl <pschmehl_lists_nada () tx rr com>
Subject: Re: [Snort-users] Snort only alert about traffic with an specific
IP

Thank you very much for your help.
I can not access to the switch I'm connected to, so I don't know how it is
configurated. I will try to get access to the switch.
I'm doing a degree essay at the University and the most important thing
for me is to know why something doesn't work, if the problem is the switch
that is
enought for me. But what I really need to know is why some rules work and
why others don't.

If you use this rule, does it work for you? why not for me??

alert tcp $HOME_NET any -> any 1863 (msg:"CHAT MSN logout"; flags:PA+;
content:"OUT"; classtype:policy-violation; sid:1000009; rev:1;)

I have no problem with a rule to alert about MSN login, that is similar
but with content LoginTime" instead of "OUT"

Or this other one form info.rules ("INFO FTP no password", with sid:489,
works for me):

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login";
flow:from_server,established; content:"530 ";
pcre:"/^530\s+(Login|User)/smi";
classtype:bad-unknown; sid:491; rev:8;)

There are many rules that don't work. I suppose the problem has to be in
snort.conf file.

2008/5/29 Jason Brvenik <jasonb () sourcefire com>:
     Are you monitoring a span or mirror port?

     Berta Alcala wrote:
           Hi,

           I tried with this rule (only this rule, the rest were commented
in snort.conf):

           alert tcp any any -> any any (msg:"TCP traffic";sid:1000011;
rev:1;)

           The only alerts registered are those which have my IP (source
or destination). Using Ethereal I only see traffic with my IP as source,
           or destination, or broadcast traffic. I can not see a ping
command between two others PCs with Ethereal, neither with Snort (I attach a
           pcap file)

           I have this information in snort.conf:

var HOME_NET 172.18.64.0/19 <http://172.18.64.0/19>
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

Snort is installed as a Windows service with this command line:
snort /SERVICE /INSTALL -dev -c c:\Snort\etc\snort.conf -l c:\Snort\log
-i2

I use Windows XP+Snort 2.7+Base

Jason, How can I disable checksum?

2008/5/27 Paul Schmehl <pschmehl_lists () tx rr com <mailto:
pschmehl_lists () tx rr com>>:

   Thousands of security professionals worldwide are using snort
   successfully. So, you can start with the safe assumption that the
   problem isn't snort.

   Whether or not snort alerts on traffic is entirely dependent upon
   two things:
   1) Traffic is passing the interface that snort is listening on
   2) You have snort properly configured to see that traffic.

   If you've convinced yourself, using Ethereal, that traffic *is*
   being seen on that interface, then that narrows the problem down to
   your configuration of snort.

   What have you defined $HOME_NET as?
   What have you defined $EXTERNAL_NET as?
   What rules have you enabled in snort.conf?
   What's your startup options for snort (what interface, where do you
   log, etc.)?

   To quickly see if snort is working at all, write a rule that looks
   for everything:

   alert ip any any -> any any (msg:"Testing for detection capability";
   sid:1000001; rev:1;)

   Don't even bother editing sid-msg.map.  All you care about is seeing
   that alerts are being generated.  Depending upon your traffic, this
   could generate a ton of alerts in short order, so be prepared to
   shut down snort before you get overwhelmed.

   What are you using to view the alerts?

   --    Paul Schmehl
   As if it wasn't already obvious,
   my opinions are my own and not
   those of my employer.

------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort only alert about traffic with an specific IP Berta Alcala (May 26)
- Re: Snort only alert about traffic with an specific IP Michael Boman (May 26)
- Re: Snort only alert about traffic with an specific IP Leon Ward (May 26)
  - Re: Snort only alert about traffic with an specific IP Berta Alcala (May 27)
    - Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 27)
    - Message not available
    - Re: Snort only alert about traffic with an specific IP Berta Alcala (May 29)
    - Re: Snort only alert about traffic with an specific IP Leon Ward (May 29)
    - Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 29)
    - Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
    - Message not available
    - Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
    - Message not available
    - Re: Snort only alert about traffic with an specific IP Berta Alcala (Jun 02)