Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help to run snort on linux machine

From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 2 Mar 2010 09:09:09 -0500
Silly question, do you have any rules enabled? They don't come with a
default install of Snort these days, you have to go fetch them as a separate
package.

Also, since you just barely installed, you should be using 2.8.5.3, the
current version, instead of 2.8.5.1.

On Tue, Mar 2, 2010 at 6:42 AM, sri harsha <harsha536 () gmail com> wrote:


Hi,
    I am not able to detect attack packets using snort on linux PC. I
installed snort 2.8.5.1 on a linux PC. I'm using default configuration of
snort.conf. I'm sending attack packets from another linux machine with
destination as the snort installed PC. I'm using snot tool to send attack
packets. I observed the following alert message on the snort PC, when i sent
attack-response packets.

[**] [128:4:1] (spp_ssh) Protocol mismatch [**]
[Priority: 3]
03/02-11:00:08.532684 76.0.0.10:22 -> 4.4.4.10:49062
TCP TTL:197 TOS:0x0 ID:5234 IpLen:20 DgmLen:763
1*U*P*S* Seq: 0xA34D20A2  Ack: 0x97C04470  Win: 0x4B58  TcpLen: 20  UrgPtr:
0x87D9

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
03/02-11:00:08.532692 4.4.4.10 -> 76.0.0.10
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:155 DF

[**] [128:4:1] (spp_ssh) Protocol mismatch [**]
[Priority: 3]
03/02-11:00:14.590679 76.0.0.10:22 -> 4.4.4.10:17509
TCP TTL:83 TOS:0x0 ID:50679 IpLen:20 DgmLen:406
1****RSF Seq: 0xD5A78410  Ack: 0xBE5E0E08  Win: 0x39F5  TcpLen: 20

[**] [128:4:1] (spp_ssh) Protocol mismatch [**]
[Priority: 3]
03/02-11:00:17.620154 76.0.0.10:22 -> 4.4.4.10:37210
TCP TTL:252 TOS:0x0 ID:21173 IpLen:20 DgmLen:483
12U*P*S* Seq: 0xDB2FE072  Ack: 0x32A91A5C  Win: 0x8447  TcpLen: 20  UrgPtr:
0xEE86


Do i need to make any changes in the configuration of snort.conf? Thanks
for any help in advance.

Thanks,
Sriharsha


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: