Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DPX starter kit output: No alert generated

From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Wed, 17 Oct 2018 21:45:36 +0000
From: Snort-users <snort-users-bounces () lists snort org> on behalf of wkitty42--- via Snort-users <snort-users () 
lists snort org>

Sent: 17 October 2018 21:22

To: snort-users () lists snort org

Subject: Re: [Snort-users] DPX starter kit output: No alert generated



On 10/17/18 4:07 PM, Jianyu Li via Snort-users wrote:


I followed the link below to build DPX.



https://www.snort.org/documents/dpx-readme








But there is no alert generated in the output of ./test.sh







I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.




i don't know anything about dpx but what are the four short rules and what

traffic was sent to be analyzed? the output looks to have passed the traffic...

it may be that you need to add "-k none" to your snort command line to ensure

that checksums are ignored...



--

  NOTE: No off-list assistance is given without prior approval.

        *Please keep mailing list traffic on the list unless*

        *a signed and pre-paid contract is in effect with us.*

_______________________________________________

Snort-users mailing list

Snort-users () lists snort org

Go to this URL to change user options or unsubscribe:

https://lists.snort.org/mailman/listinfo/snort-users


        To unsubscribe, send an email to:

        snort-users-leave () lists snort org


Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!


Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



Hi  wkitty42,


Thank you very much for your reply!

I am new to snort. I tried to add the "-k none" in snort command line but it didn't work, there is still no alert in 
the output.


The content of test.sh is:

root@ubuntu3:~/dpx-1.7# cat test.sh
#!/bin/bash

if [ ! -e setup.sh ] ; then
    echo "ERROR: you must echo SNORT=/path/to/snort/dir > setup.sh first"
    exit -1
fi

. ./setup.sh

export SNORT_PP_DEBUG=0x80000000
$SNORT/src/snort -c test/snort.conf -A console:test -r test/test.pcap


So I think the test/snort.conf is used as the configuration file, the content of test/snort.conf is:

root@ubuntu3:~/dpx-1.7/test# cat snort.conf
# default configuration
dynamicpreprocessor directory lib/snort_dynamicpreprocessor
preprocessor dpx: port 8
config binding: 10.1.conf net 10.1.0.0/16
include rules.conf


But there are only two snort rules inside rules.conf, I am not sure why there are 4 snort rules showed in the result:

root@ubuntu3:~/dpx-1.7/test# cat rules.conf
#config autogenerate_preprocessor_decoder_rules
alert ( msg:"tcp src port match"; gid:256; sid:1; )
alert ( msg:"tcp dst port match"; gid:256; sid:2; )

The test/test.pcap was sent to be analyzed:
root@ubuntu3:~/dpx-1.7/test# tcpdump -vr test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40)
    10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), seq 1, win 256, length 0
01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], proto TCP (6), length 40)
    10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), seq 1, ack 2, win 256, length 0
01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], proto TCP (6), length 40)
    10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 (correct), ack 2, win 256, length 0
01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], proto TCP (6), length 40)
    10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), seq 1, win 256, length 0
01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto TCP (6), length 40)
    10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), seq 1, ack 2, win 256, length 0
01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], proto TCP (6), length 40)
    10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e (correct), ack 2, win 256, length 0

In my understanding, the  DPX is a Dynamic Preprocessor Example, which can be downloaded from the snort website. I was 
trying to test the dynamic preprocessor example, the output should generate the alerts since the dpx preprocessor will 
listen on port 8(according to the 3rd line of snort.conf file), and the tcpdump showed that some packets' ports are 8.


Thanks,
Jianyu Li


________________________________
From: Jianyu Li
Sent: 17 October 2018 21:07:21
To: snort-users () lists snort org
Subject: DPX starter kit output: No alert generated


Hi


I followed the link below to build DPX.

https://www.snort.org/documents/dpx-readme


But there is no alert generated in the output of ./test.sh


I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.


The following is the output of ./test.sh


root@ubuntu3:~/dpx-1.7# ./test.sh
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "test/snort.conf"
Tagged Packet Limit: 256
Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor...
  Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libdpx.so... done
  Finished Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
4 Snort rules read
    4 detection rules
    0 decoder rules
    0 preprocessor rules
2 Option Chains linked into 2 Chain Headers
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       4       0       0       0
|      nc       4       0       0       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
pcap DAQ configured to read-file.
Acquiring network traffic from "test/test.pcap".
Reload thread starting...
Reload thread started, thread 0x7f2fb2e68700 (4175)

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

           Preprocessor Object: dpx  Version 1.6  <Build 1>
Commencing packet processing (pid=4174)
===============================================================================
Run time for packet processing was 0.302 seconds
Snort processed 6 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:            6
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       4296704
  Bytes in mapped regions (hblkhd):      31576064
  Total allocated space (uordblks):      3490960
  Total free space (fordblks):           805744
  Topmost releasable block (keepcost):   659328
===============================================================================
Packet I/O Totals:
   Received:            6
   Analyzed:            6 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:            6 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:            6 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:            6 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:            6
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:            6 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================
Snort exiting



It would be greatful if you can help me to find out the problem.


Thanks,

Jianyu Li


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: