Snort mailing list archives
Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6
From: "Chan, Wilson" <wchan () honolulu gov>
Date: Wed, 21 Jul 2010 12:21:34 -1000
Hi Nick, I'm able to detect the nmap and nesssus scans now because I had bad port span where L2 traffic was bypassing the vlan. That's fixed now but I can't generate any events from the sfportscan preprocessor. Below is what I have enabled in my config. Am I missing something? Thanks! preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes preprocessor stream5_udp: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { high } Wilson Chan From: Nick Moore [mailto:nmoore () sourcefire com] Sent: Tuesday, July 20, 2010 6:01 PM To: Chan, Wilson Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Wilson, Can you attach your snort.conf file? I'd like to see your preprocessor config, specifically the sfportscan preprocessor. Nick On Tue, Jul 20, 2010 at 2:10 PM, Chan, Wilson <wchan () honolulu gov> wrote: I did some testing and our snort sensor are not alerting on Nessus scans (All plugins except DDOS) and MS Baseline scanner. I have most of the Snort and Emerging Threats rules. Am I missing a rule set? Thanks! include $RULE_PATH/exploit.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules ##include $RULE_PATH/web-cgi.rules ##include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules ##include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules ##include $RULE_PATH/web-client.rules ##include $RULE_PATH/web-php.rules ##include $RULE_PATH/sql.rules ##include $RULE_PATH/x11.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules ##include $RULE_PATH/oracle.rules ##include $RULE_PATH/mysql.rules include $RULE_PATH/smtp.rules ##include $RULE_PATH/imap.rules ##include $RULE_PATH/pop2.rules ##include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/snmp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/tftp.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules # include $RULE_PATH/spyware-put.rules include $RULE_PATH/specific-threats.rules # include $RULE_PATH/voip.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/emerging-attack_response.rules #include $RULE_PATH/emerging-botcc-BLOCK.rules #include $RULE_PATH/emerging-botcc.rules #include $RULE_PATH/emerging-compromised-BLOCK.rules #include $RULE_PATH/emerging-compromised.rules #include $RULE_PATH/emerging.conf include $RULE_PATH/emerging-current_events.rules #include $RULE_PATH/emerging-dos.rules #include $RULE_PATH/emerging-drop-BLOCK.rules #include $RULE_PATH/emerging-drop.rules #include $RULE_PATH/emerging-dshield-BLOCK.rules #include $RULE_PATH/emerging-dshield.rules include $RULE_PATH/emerging-exploit.rules #include $RULE_PATH/emerging-game.rules #include $RULE_PATH/emerging-inappropriate.rules include $RULE_PATH/emerging-malware.rules #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-policy.rules #include $RULE_PATH/emerging-rbn-BLOCK.rules #include $RULE_PATH/emerging-rbn.rules #include $RULE_PATH/emerging-readme.txt #include $RULE_PATH/emerging.rules include $RULE_PATH/emerging-scan.rules #include $RULE_PATH/emerging-sid-msg.map #include $RULE_PATH/emerging-sid-msg.map.txt #include $RULE_PATH/emerging-tor-BLOCK.rules #include $RULE_PATH/emerging-tor.rules include $RULE_PATH/emerging-user_agents.rules include $RULE_PATH/emerging-virus.rules #include $RULE_PATH/emerging-voip.rules #include $RULE_PATH/emerging-web_client.rules #include $RULE_PATH/emerging-web.rules #include $RULE_PATH/emerging-web_server.rules #include $RULE_PATH/emerging-web_specific_apps.rules #include $RULE_PATH/emerging-web_sql_injection.rules # decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-misc.rules Wilson Chan ------------------------------------------------------------------------ ------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Chan, Wilson (Jul 20)
- Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Nick Moore (Jul 20)
- Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Chan, Wilson (Jul 21)
- Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Nick Moore (Jul 20)