Snort mailing list archives

Re: FW: AW: Libovar Man info.

From: Rameez Qureshi <rameez_q () hotmail co uk>
Date: Wed, 9 Apr 2014 18:28:24 +0100

I have went through the example configuration and my snort.conf file which is attached is nearly the same
I need to add the rules but im insure where to as I have pointed to the rule paths for each rule and this is not 
working or do I need to add each rule in to the actual config file

Here is the output when running in IDS mode

root@kali:/usr/src# snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 
2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 
7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 
8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 
50002 51423 53331 55252 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 
1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 
7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 
8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 
44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Tagged Packet Limit: 256
Log directory = ./log

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
0 Snort rules read
    0 detection rules
    0 decoder rules
    0 preprocessor rules
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       0       0       0       0
|      nc       0       0       0       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0xb6cd4b70 (6375)
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.2.1
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=6370)
^Z
[8]+  Stopped                 snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf


From: jesler () cisco com
To: rameez_q () hotmail co uk; nmavis () cisco com
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: AW: Libovar Man info.
Date: Wed, 9 Apr 2014 16:51:25 +0000






https://www.snort.org/vrt/snort-conf-configurations/



--

Joel Esler

Open Source Manager

Threat Intelligence Team Lead

Vulnerability Research Team





From: Rameez Qureshi <rameez_q () hotmail co uk>

Date: Wednesday, April 9, 2014 at 12:35 PM

To: "Nicholas Mavis (nmavis)" <nmavis () cisco com>

Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>

Subject: Re: [Snort-users] FW: AW: Libovar Man info.








Hello



i dont quite understand where to add the the rules in the snort.conf file can you tell me what section and an example 
of what it should include



all help so far is greatly appreciated

thanks

rameez







From: nmavis () cisco com

To: rameez_q () hotmail co uk

CC: snort-users () lists sourceforge net

Subject: Re: [Snort-users] FW: AW: Libovar Man info.

Date: Wed, 9 Apr 2014 16:29:05 +0000



Rameez,



You still have zero rule files included in your snort.conf as they are all commented out. In the future, please CC the 
mailing list instead of contacting me directly off list.



Nick





From: Rameez Qureshi <rameez_q () hotmail co uk>

Date: Wednesday, April 9, 2014 at 11:45 AM

To: nmavis <nmavis () cisco com>

Subject: RE: [Snort-users] FW: AW: Libovar Man info.







hello



i have altered my snort.conf to include the rules but still nothing is showing up?

it is under step 7 in my snort.conf file



thanks

rameez





From: nmavis () cisco com

To: rameez_q () hotmail co uk

CC: snort-users () lists sourceforge net

Subject: Re: [Snort-users] FW: AW: Libovar Man info.

Date: Wed, 9 Apr 2014 15:03:11 +0000




Rameez,



Please download the latest rule set from snort.org and add an include for those rule files within your snort.conf. I 
would recommend reading over the following:



http://manual.snort.org/node15.html



Nick






From: Rameez Qureshi <rameez_q () hotmail co uk>

Date: Wednesday, April 9, 2014 at 10:57 AM

To: nmavis <nmavis () cisco com>

Subject: Re: [Snort-users] FW: AW: Libovar Man info.







Thanks for the quick reply
This may seem silly but how would i correct that?
Would it be adding the sections from the rules to the snort.conf file under the appropriate sections or simply linking 
them correctly?



Thanks again for the reply 


On 9 Apr 2014, at 03:48 PM, "Nicholas Mavis (nmavis)" <nmavis () cisco com> wrote:






Rameez,



You don’t have any rule files included in your snort.conf, therefore Snort will not load any rules.



Nick





From: Rameez Qureshi <rameez_q () hotmail co uk>

Date: Wednesday, April 9, 2014 at 10:42 AM

To: "Snort-users () lists sourceforge net" <snort-users () lists sourceforge net>

Subject: [Snort-users] FW: AW: Libovar Man info.







Hello



I am having some problems when running snort, In packet mode it seems to pick up all packets fine

When running in IDS mode none of the snort rules are read and no outputs are generated when i try to test snort by ping 
scan or nmap scan



I have attached my snort.conf in a seperate document



When running snort as below the following output is generated:



root@kali:/usr/src# snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

Running in IDS mode



        --== Initializing Snort ==--

Initializing Output Plugins!

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file "snort.conf"

PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 
2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 
7770 7777 7779 8000
 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 
9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 
55252 55555 56712 ]

PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]

PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]

PortVar 'SSH_PORTS' defined :  [ 22 ]

PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]

PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]

PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 
1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 
7144:7145 7510 7770 7777
 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 
9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 
51423 53331 55252 55555
 56712 ]

PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]

Tagged Packet Limit: 256

Log directory = ./log



+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

0 Snort rules read

    0 detection rules

    0 decoder rules

    0 preprocessor rules

0 Option Chains linked into 0 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++



+-------------------[Rule Port Counts]---------------------------------------

|             tcp     udp    icmp      ip

|     src       0       0       0       0

|     dst       0       0       0       0

|     any       0       0       0       0

|      nc       0       0       0       0

|     s+d       0       0       0       0

+----------------------------------------------------------------------------



+-----------------------[detection-filter-config]------------------------------

| memory-cap : 1048576 bytes

+-----------------------[detection-filter-rules]-------------------------------

| none

-------------------------------------------------------------------------------



+-----------------------[rate-filter-config]-----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[rate-filter-rules]------------------------------------

| none

-------------------------------------------------------------------------------



+-----------------------[event-filter-config]----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[event-filter-global]----------------------------------

+-----------------------[event-filter-local]-----------------------------------

| none

+-----------------------[suppression]------------------------------------------

| none

-------------------------------------------------------------------------------

Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log

Verifying Preprocessor Configurations!

pcap DAQ configured to passive.

Acquiring network traffic from "eth0".

Reload thread starting...

Reload thread started, thread 0xb6c8ab70 (3718)

Decoding Ethernet



        --== Initialization Complete ==--



   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.6.0 GRE (Build 47) 

   ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team

           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.2.1

           Using PCRE version: 8.30 2012-02-04

           Using ZLIB version: 1.2.7





Any help is greatly appreciated

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
- Re: FW: AW: Libovar Man info. Nicholas Mavis (nmavis) (Apr 09)
  - Message not available
    - Re: FW: AW: Libovar Man info. Nicholas Mavis (nmavis) (Apr 09)
    - Message not available
    - Re: FW: AW: Libovar Man info. Nicholas Mavis (nmavis) (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. Joel Esler (jesler) (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
- Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
  - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. Y M (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 10)

(Thread continues...)