Snort mailing list archives
Re: Logging - A easy way ?
From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 27 Mar 2013 09:09:41 -0600
Hahaha! That's funny. Wow. Well its good you figured out what the problem was. As far as tuning goes.. that's the fun part. Understanding the rules and the variables goes a long way towards removing false positives. That and knowing what it is you want to look for. Good luck! On Mar 27, 2013 6:01 AM, "Joao Daniel Neves" <joaodanielnevesss () hotmail com> wrote:
Hi Guys, I think it is working. The guy who deployed Snort have commented all udp/icmp rules. I asked "Why did you do that?" He told me "Attacks only came from TCP packages". Unfortunally I can not fire him. I'm not tuning Snort since, there are a lot (false) ICMP alerts.From: jthoel () gmail com Date: Tue, 26 Mar 2013 17:40:15 +0000 Subject: Re: [Snort-users] Logging - A easy way ? To: joaodanielnevesss () hotmail com CC: snort-users () lists sourceforge net Change the icmp to UDP (or add another rule to do that).. do a UDP, then the alert should fire.. then you know snort itself is seeing the udp packets at that box. and if you want to see if it works sniffing the netowkr, then udp scan another box, whos traffic should pass through the span port, and then see if it fires. On Tue, Mar 26, 2013 at 1:37 PM, Joao Daniel Neves <joaodanielnevesss () hotmail com> wrote:Hi Jeremy, I would like to thank your help. I have write a very simple rule foralertICMP. alert icmp any any -> any any Just it. So it sems that I do not have any rule for alerting UDP andICMP.What should I do ? Did I need to write my own rules ? Or I canfind/downloadsome?From: jthoel () gmail com Date: Mon, 25 Mar 2013 21:54:41 -0600Subject: Re: [Snort-users] Logging - A easy way ? To: joaodanielnevesss () hotmail com CC: snort-users () lists sourceforge netYou can make sure it will if you make a local rule looking for udp traffic of type any from your scanning host. On Mon, Mar 25, 2013 at 2:24 PM, Joao Daniel Neves <joaodanielnevesss () hotmail com> wrote:Jeremy Hoel, I have scanned it with nmap (just using UDP) nmap -sV -sU -Pn <host>. I think it should generate an udp alert? Shouldn't it? ________________________________ Date: Mon, 25 Mar 2013 19:13:36 +0000 Subject: Re: [Snort-users] Logging - A easy way ? From: jthoel () gmail com To: joaodanielnevesss () hotmail com CC: snort-users () lists sourceforge net Snort only outputs events that are triggered by rules. While running snort did you send/sniff and UDP traffic that would cause a rule to fire? On Mar 25, 2013 1:00 PM, "Joao Daniel Neves" <joaodanielnevesss () hotmail com> wrote: A few days agos I wrote about my BASE that was not displaying anyUDPalert. It was 100% TCP. Unfortunately I could not resolve it. I'm doingsometests. My plan is very simple. I want to know if snort is checking againstUDP.So I want to elimita BASE from this scenario. Acording with some documents that I found on the web, it seems that /usr/local/bin/snort -d -h IP/32 -l /tmp/test -c/etc/snort/snort.conf-s Would write some logging information to /tmp/test. After running the command (in bold). I stop it with 'Ctrl + C'. Andsols -l /tmp/test do not display any files! My question is simple: Is this command correct ? Will it write logs/alert to /tmp/test ? What command would do simple write alerts to log?------------------------------------------------------------------------------Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all thelatestSnort news!
------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logging - A easy way ? Joao Daniel Neves (Mar 25)
- Re: Logging - A easy way ? Jeremy Hoel (Mar 25)
- Re: Logging - A easy way ? Joao Daniel Neves (Mar 25)
- Re: Logging - A easy way ? Jeremy Hoel (Mar 25)
- Re: Logging - A easy way ? Joao Daniel Neves (Mar 26)
- Re: Logging - A easy way ? Michael Steele (Mar 26)
- Re: Logging - A easy way ? Jeremy Hoel (Mar 26)
- Re: Logging - A easy way ? Joao Daniel Neves (Mar 27)
- Re: Logging - A easy way ? Jeremy Hoel (Mar 27)
- Re: Logging - A easy way ? Joao Daniel Neves (Mar 25)
- Re: Logging - A easy way ? Jeremy Hoel (Mar 25)