Re: Logging - A easy way ?

[Jeremy Hoel <jthoel () gmail com>]

Hahaha!  That's funny. Wow. Well its good you figured out what the problem
was.  As far as tuning goes.. that's the fun part. Understanding the rules
and the variables goes a long way towards removing false positives.  That
and knowing what it is you want to look for.

Good luck!
On Mar 27, 2013 6:01 AM, "Joao Daniel Neves" <joaodanielnevesss () hotmail com>
wrote:

> Hi Guys,
>
> I think it is working. The guy who deployed Snort have commented all
> udp/icmp rules.
> I asked "Why did you do that?"  He told me "Attacks only came from TCP
> packages".
> Unfortunally I can not fire him.
>
> I'm not tuning Snort since, there are a lot (false) ICMP alerts.
>
> > From: jthoel () gmail com
> > Date: Tue, 26 Mar 2013 17:40:15 +0000
> > Subject: Re: [Snort-users] Logging - A easy way ?
> > To: joaodanielnevesss () hotmail com
> > CC: snort-users () lists sourceforge net
> >
> > Change the icmp to UDP (or add another rule to do that).. do a UDP,
> > then the alert should fire.. then you know snort itself is seeing the
> > udp packets at that box.
> >
> > and if you want to see if it works sniffing the netowkr, then udp scan
> > another box, whos traffic should pass through the span port, and then
> > see if it fires.
> >
> >
> >
> > On Tue, Mar 26, 2013 at 1:37 PM, Joao Daniel Neves
> > <joaodanielnevesss () hotmail com> wrote:
> > > Hi Jeremy,
> > >
> > > I would like to thank your help. I have write a very simple rule for
> alert
> > > ICMP.
> > >
> > > alert icmp any any -> any any
> > >
> > > Just it. So it sems that I do not have any rule for alerting UDP and
> ICMP.
> > > What should I do ? Did I need to write my own rules ? Or I can
> find/download
> > > some?
> > >
> > >
> > >
> > >
> > > > From: jthoel () gmail com
> > > > Date: Mon, 25 Mar 2013 21:54:41 -0600
> > >
> > > > Subject: Re: [Snort-users] Logging - A easy way ?
> > > > To: joaodanielnevesss () hotmail com
> > > > CC: snort-users () lists sourceforge net
> > >
> > > > You can make sure it will if you make a local rule looking for udp
> > > > traffic of type any from your scanning host.
> > > >
> > > > On Mon, Mar 25, 2013 at 2:24 PM, Joao Daniel Neves
> > > > <joaodanielnevesss () hotmail com> wrote:
> > > > > Jeremy Hoel,
> > > > >
> > > > > I have scanned it with nmap (just using UDP)
> > > > >
> > > > > nmap -sV -sU -Pn <host>.
> > > > >
> > > > > I think it should generate an udp alert? Shouldn't it?
> > > > >
> > > > > ________________________________
> > > > > Date: Mon, 25 Mar 2013 19:13:36 +0000
> > > > > Subject: Re: [Snort-users] Logging - A easy way ?
> > > > > From: jthoel () gmail com
> > > > > To: joaodanielnevesss () hotmail com
> > > > > CC: snort-users () lists sourceforge net
> > > > >
> > > > >
> > > > > Snort only outputs events that are triggered by rules. While running
> > > > > snort
> > > > > did you send/sniff and UDP traffic that would cause a rule to fire?
> > > > >
> > > > > On Mar 25, 2013 1:00 PM, "Joao Daniel Neves"
> > > > > <joaodanielnevesss () hotmail com>
> > > > > wrote:
> > > > >
> > > > > A few days agos I wrote about my BASE that was not displaying any
> UDP
> > > > > alert.
> > > > > It was 100% TCP. Unfortunately I could not resolve it. I'm doing
> some
> > > > > tests.
> > > > > My plan is very simple. I want to know if snort is checking against
> UDP.
> > > > > So
> > > > > I want to elimita BASE from this scenario.
> > > > > Acording with some documents that I found on the web, it seems that
> > > > > /usr/local/bin/snort -d -h IP/32 -l /tmp/test -c
> /etc/snort/snort.conf
> > > > > -s
> > > > > Would write some logging information to /tmp/test.
> > > > >
> > > > > After running the command (in bold). I stop it with 'Ctrl + C'. And
> so
> > > > > ls -l /tmp/test do not display any files!
> > > > >
> > > > > My question is simple: Is this command correct ? Will it write
> > > > > logs/alert to
> > > > > /tmp/test ?
> > > > > What command would do simple write alerts to log?
> ------------------------------------------------------------------------------
> > > > > Everyone hates slow websites. So do we.
> > > > > Make your web apps faster with AppDynamics
> > > > > Download AppDynamics Lite for free today:
> > > > > http://p.sf.net/sfu/appdyn_d2d_mar
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the
> latest
> > > > > Snort
> > > > > news!
------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!