Snort mailing list archives
Snort even though working properly does not report majority of rules
From: Henry Collins <hcol1987 () gmail com>
Date: Mon, 16 Feb 2015 15:42:32 +0100
I have installed Snort 2.9.7.0 and it does not detect majority of attacks, such as nmap port scans, downloading exe files, opening documents containing keyword "root". I use Snort together with Pulled Pork and Barnyard2. Everything seems to function and I can see alerts on the website that is powered by BASE. The problem is that I can only trigger 3 different alerts. Everything else is simply not detected. I want obviously to be able to get alerts when someone performs port scanning, trying to attempt to perform DDOS attack and so on. This I cannot trigger. Do I have to enable something somewhere?... I have made my own local.rules file, which contains a single rule - monitoring of ICMP echo packets. Pulled Pork does show that it has downloaded over 20000 rules and over 5000 rules are enabled. This can be seen in snort.rules file, which I included in snort.conf file. The 3 alerts I am able to trigger are: stream5: TCP Small Segment Threshold Exceeded (this is due to my old Win SCP client) ssh: Protocol mismatch (this is due to my old Putty client) ICMP test (my own rule from local.rules) My snort.conf can be found on the following website (had to move it there, because i reached max chars list): https://paste.ee/p/RTUgY My pulledpork.conf can be found on the following website: https://paste.ee/p/ixZqW My local.rules looks like this (which does work): alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;
rev:001;)
What is strange is that last Friday, Snort suddenly started to work and used Pulled Pork's rules. However, currently, when I am writing this, it doesn't work anymore. I tried to reinstall Snort, Barnyard2 and everything else on a completely fresh Linux computer. It didn't help.
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort even though working properly does not report majority of rules Henry Collins (Feb 16)