Snort mailing list archives
Re: Help to run snort on linux machine
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 2 Mar 2010 09:09:09 -0500
Silly question, do you have any rules enabled? They don't come with a default install of Snort these days, you have to go fetch them as a separate package. Also, since you just barely installed, you should be using 2.8.5.3, the current version, instead of 2.8.5.1. On Tue, Mar 2, 2010 at 6:42 AM, sri harsha <harsha536 () gmail com> wrote:
Hi, I am not able to detect attack packets using snort on linux PC. I installed snort 2.8.5.1 on a linux PC. I'm using default configuration of snort.conf. I'm sending attack packets from another linux machine with destination as the snort installed PC. I'm using snot tool to send attack packets. I observed the following alert message on the snort PC, when i sent attack-response packets. [**] [128:4:1] (spp_ssh) Protocol mismatch [**] [Priority: 3] 03/02-11:00:08.532684 76.0.0.10:22 -> 4.4.4.10:49062 TCP TTL:197 TOS:0x0 ID:5234 IpLen:20 DgmLen:763 1*U*P*S* Seq: 0xA34D20A2 Ack: 0x97C04470 Win: 0x4B58 TcpLen: 20 UrgPtr: 0x87D9 [**] [122:1:0] (portscan) TCP Portscan [**] [Priority: 3] 03/02-11:00:08.532692 4.4.4.10 -> 76.0.0.10 PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:155 DF [**] [128:4:1] (spp_ssh) Protocol mismatch [**] [Priority: 3] 03/02-11:00:14.590679 76.0.0.10:22 -> 4.4.4.10:17509 TCP TTL:83 TOS:0x0 ID:50679 IpLen:20 DgmLen:406 1****RSF Seq: 0xD5A78410 Ack: 0xBE5E0E08 Win: 0x39F5 TcpLen: 20 [**] [128:4:1] (spp_ssh) Protocol mismatch [**] [Priority: 3] 03/02-11:00:17.620154 76.0.0.10:22 -> 4.4.4.10:37210 TCP TTL:252 TOS:0x0 ID:21173 IpLen:20 DgmLen:483 12U*P*S* Seq: 0xDB2FE072 Ack: 0x32A91A5C Win: 0x8447 TcpLen: 20 UrgPtr: 0xEE86 Do i need to make any changes in the configuration of snort.conf? Thanks for any help in advance. Thanks, Sriharsha ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help to run snort on linux machine sri harsha (Mar 02)
- Re: Help to run snort on linux machine Alex Kirk (Mar 02)
- Re: Help to run snort on linux machine Alex Kirk (Mar 02)