Snort mailing list archives
Re: finding which rule
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 25 Jul 2014 14:20:20 +0000
Try: snort -c /path/to/snort.conf -A console -i eth0
On Jul 25, 2014, at 10:13 AM, Richard Smollett <yawningdogge () gmail com> wrote: Yes. The file indicated in the snort.conf file is the empty one. I used #locate to to see if there were any others, and there was one in my source package that was loaded with rules. I've moved that one to where the snort.conf file says it should be. Now I guess it's just a question of finding the correct rule and grooming it. I guess the only question from here is... how did snort have awareness of the rule if it wasn't where snort was configured to look for it? I ran snort in console and got this. I'm still in the dark. root@snort:/etc/snort# snort -A console Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Decoding Ethernet --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.6.2 GRE (Build 77) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.7 Commencing packet processing (pid=20844) On Thu, Jul 24, 2014 at 7:15 PM, Y M <snort () outlook com> wrote: Date: Thu, 24 Jul 2014 16:10:30 -0400 From: yawningdogge () gmail com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] finding which rule1. I didn't explicitly put them there, but I've checked all the files against the snort.conf and pulledpork.conf files and the files/directories are indeed there.In an earlier post you suggested the the preprocessor.rules file is empty. Does the file which snort.conf states is also empty?2. Sorry, but I'm not seeing those stats anywhere when I start or stop snort. Do I need a specific tag to generate them?Run Snort in console mode "-A console" and do not use "-q". You will start seeing Snort initializing and loading libraries and preprocessors, after that there will a section with "Initializing rule chains...", look for the loaded rules stats in this section. On Thu, Jul 24, 2014 at 4:03 PM, Y M <snort () outlook com> wrote: Date: Thu, 24 Jul 2014 15:52:50 -0400 From: yawningdogge () gmail com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] finding which rule I use pulledpork. 1. When you deployed Snort, did you copy all of the necessary files to the respective directories (so_rules, preproc_rules, etc.)? 2. When you run Snort, from the run stats, under "Snort rules read", how many preprocessor rules are being loaded? A correction about my initial post, i said it is sid:2, I should have said sid:1 based on your alert data. On Thu, Jul 24, 2014 at 3:50 PM, Y M <snort () outlook com> wrote: Date: Thu, 24 Jul 2014 15:44:24 -0400 From: yawningdogge () gmail com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] finding which rule My preprocessor.rules file is blank How did you copy/install your rules? On Thu, Jul 24, 2014 at 3:24 PM, Y M <snort () outlook com> wrote: Date: Thu, 24 Jul 2014 15:02:34 -0400 From: yawningdogge () gmail com To: snort-users () lists sourceforge net Subject: [Snort-users] finding which rule I'm getting a lot of alerts that look like this. [**] [129:20:1] Snort Alert [129:20:1] [**] [Classification: Potentially Bad Traffic] [Priority: 2] 07/24-14:15:35.196146 172.28.61.104:22 -> 172.28.61.88:20309 TCP TTL:64 TOS:0x10 ID:59076 IpLen:20 DgmLen:104 DF ***AP*** Seq: 0x8055FA2A Ack: 0x450C8A09 Win: 0x545 TcpLen: 20 How do I go about finding the rule that generated this alert? The "[129:20:1]" stands for [GID:SID:REV]. GID with value 129 is generated by the Stream5 preprocessor (http://manual.snort.org/node18.html), and the alert sid is 2. You can go with something similar to (assuming you are running *nix): grep "sid: 2; gid: 129" /your/pathto/preproc_rules/preprocessor.rules. Though you may not get the exact content match upon which this signature is matching but it has references to CVE/Bugtraq. In general, the alert warns about existing payload on a SYN packet, which may be categorized as unusual behavior; ie., sending data on the initial SYN. You need to investigate to determine if it is legit or not. The reason your alert is showing as "Snort Alert" instead of the actual signature message is that the sid-msg.map is not updated with the specific signature information. YM ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- finding which rule Richard Smollett (Jul 24)
- Re: finding which rule Y M (Jul 24)
- Re: finding which rule Richard Smollett (Jul 24)
- Re: finding which rule Y M (Jul 24)
- Re: finding which rule Richard Smollett (Jul 24)
- Re: finding which rule Y M (Jul 24)
- Re: finding which rule Richard Smollett (Jul 24)
- Re: finding which rule Y M (Jul 24)
- Re: finding which rule Richard Smollett (Jul 25)
- Re: finding which rule Joel Esler (jesler) (Jul 25)
- Re: finding which rule waldo kitty (Jul 25)
- Re: finding which rule Richard Smollett (Jul 24)
- Re: finding which rule Y M (Jul 24)