Re: Snort-users Digest, Vol 16, Issue 1

[Oflodrog Onitaleg via Snort-users <snort-users () lists snort org>]

Thank you for your reply and for the RFC-1918 reminder!

If it's confusing I can include full numbers on future posts.  Please do
let me know either way.

However,  problem is now fixed. Alerts are now showing in the console.

@ubuntu:~$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c
/etc/snort/snort.conf -i ens33
09/03-23:12:55.445807  [**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.Y ->
192.168.1.X
09/03-23:12:55.445858  [**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.X ->
192.168.1.Y
09/03-23:12:56.470756  [**] [1:10000001:1] ICMP test detected [**]
[Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.Y ->
192.168.1.X
(...)
^C*** Caught Int-Signal


The change I made is reflected below:

@ubuntu:~$ cat /etc/snort/snort.conf
(...)
44 # Setup the network addresses you are protecting
45 ipvar HOME_NET 192.168.*1*.0/24
(...)



Thanks!

On Sun, Sep 2, 2018 at 1:04 AM <snort-users-request () lists snort org> wrote:

> Send Snort-users mailing list submissions to
>         snort-users () lists snort org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request () lists snort org
>
> You can reach the person managing the list at
>         snort-users-owner () lists snort org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
> Today's Topics:
>
>    1. Issue: Output on console not displayed on Snort computer
>       (Benjamin Sanchez Murillo)
>    2. Re: Issue: Output on console not displayed on Snort computer
>       (wkitty42 () windstream net)
>
>
>
> ---------- Forwarded message ----------
> From: Benjamin Sanchez Murillo <eljami () gmail com>
> To: snort-users () lists snort org
> Cc:
> Bcc:
> Date: Sat, 1 Sep 2018 09:04:28 +0900
> Subject: [Snort-users] Issue: Output on console not displayed on Snort
> computer
> Hello,
>
> I am trying to configure Snort on Ubuntu by following the Snort Set Guide
> Snort_2.9.9.x_on_Ubuntu_14-16.pdf by Noah Dietrich. I am stock on section
> 12 Writing a Simple Rule to Test Snort Detection, page 11.  Please let me
> know if you can help me solve my issue below. Thank you!
>
> -----------------------------------------------
> 1) Issue:
> Output on console not displayed on Snort computer (Ubuntu: 192.168.1.X)
> when I ping it from another computer (Kali: 192.168.1.Y)
>
> 2) Steps to recreate:
> @ubuntu:~$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c
> /etc/snort/snort.conf -i ens33
> (blinking cursor)
>
>
> @kali:~# ping 192.168.1.X
> 64 bytes from 192.168.1.X: icmp_seq=1 ttl=64 time=1.06 ms
> 64 bytes from 192.168.1.X: icmp_seq=2 ttl=64 time=0.885 ms
> 64 bytes from 192.168.1.X: icmp_seq=3 ttl=64 time=0.391 ms
> (...)
> --- 192.168.1.X ping statistics ---
> 21 packets transmitted, 21 received, 0% packet loss, time 454ms
> rtt min/avg/max/mdev = 0.251/0.624/1.565/0.259 ms
>
> 3) Results:
> Ubuntu machine's cursor continues to blink, however, I don't see expected
> "ICMP test detected" message in the console.
>
>
> 4) Background:
>
> Ubuntu and Kali installed on VMware both configured as Bridged (Autodetect)
> I can ping Kali from Ubuntu & Ubuntu from Kali both with 0% packet loss
>
> @ubuntu:~$ uname -a
> Linux ubuntu 4.15.0-33-generic #36~16.04.1-Ubuntu SMP Wed Aug 15 17:21:05
> UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>
> @ubuntu:~$ snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.11.1 GRE (Build 268)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.7.4
>            Using PCRE version: 8.38 2015-11-23
>            Using ZLIB version: 1.2.8
>
> @ubuntu:~$ ifconfig | grep "inet add"
>           inet addr:192.168.1.X  Bcast:192.168.1.255  Mask:255.255.255.0
>           inet addr:127.0.0.1  Mask:255.0.0.0
>
> 5) The snort.conf file
>
> @ubuntu:~$ sudo vi /etc/snort/snort.conf
> (...)
> 44 # Setup the network addresses you are protecting
> 45 ipvar HOME_NET 192.168.0.0/24
> (...)
> 545 # site specific rules
> 546 include $RULE_PATH/local.rules
> (...)
>
> 6) The local.rules file
> @ubuntu:~$ sudo vi /etc/snort/rules/local.rules
>
> alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1;
> sid:10000001; rev:001; classtype:icmp-event;)
>
> 7) The sid-msg.map file
> @ubuntu:~$ sudo vi /etc/snort/sid-msg.map
>
> #v2
> 1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,
> tools.ietf.org/html/rfc792
>
> 8) Testing snort.conf to see if the rule has been loaded
> @ubuntu:~$ sudo snort -T -i ens33 -c /etc/snort/snort.conf
>
> (...)
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 1 Snort rules read
>     1 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 1 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> +-------------------[Rule Port
> Counts]---------------------------------------
> |             tcp     udp    icmp      ip
> |     src       0       0       0       0
> |     dst       0       0       0       0
> |     any       0       0       1       0
> |      nc       0       0       1       0
> |     s+d       0       0       0       0
>
> +----------------------------------------------------------------------------
>
> Snort successfully validated the configuration!
> Snort exiting
> (...)
>
> @ubuntu:/var/log/snort$ ls -a
> .  ..  archived_logs
>
> @ubuntu:/var/log/snort/archived_logs$ ls -a
> .  ..
>
>
>
>
> ---------- Forwarded message ----------
> From: wkitty42 () windstream net
> To: snort-users () lists snort org
> Cc:
> Bcc:
> Date: Sat, 1 Sep 2018 02:29:31 -0400
> Subject: Re: [Snort-users] Issue: Output on console not displayed on Snort
> computer
> On 08/31/2018 08:04 PM, Benjamin Sanchez Murillo via Snort-users wrote:
> > 1) Issue:
> > Output on console not displayed on Snort computer (Ubuntu: 192.168.1.X)
> when I
> > ping it from another computer (Kali: 192.168.1.Y)
>
>
> first off, there is no need to mask RFC-1918 IP numbers... they are not
> accessible outside of the local network...
>
>
> > 2) Steps to recreate:
> > @ubuntu:~$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c
> > /etc/snort/snort.conf -i ens33
> > (blinking cursor)
>
>
> you do not state what your NIC is... try adding "-k none" to your command
> line...
>
> perhaps your NIC has offloading capabilities? disable them if so... you
> need the
> NIC to hand everything to snort...
>
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list unless*
>         *a signed and pre-paid contract is in effect with us.*
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave () lists snort org
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette