Snort mailing list archives
Re: DPX starter kit output: No alert generated
From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Thu, 18 Oct 2018 19:37:43 +0000
Hi Russ, Thank you very much for your reply! I tried the commend you provided but there is no any output: root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib/ -c /root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp port 8" -r test.pcap -A csv -q root@ubuntu1:/home/ubuntu# The output without "-q" is as followed: root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib/ -c /root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp port 8" -r test.pcap -A csv -------------------------------------------------- o")~ Snort++ 3.0.0-247 -------------------------------------------------- Loading /root/snort-3.0.0/etc/snort/snort.lua: ssh pop binder stream_tcp gtp_inspect dce_http_proxy stream_icmp normalizer ftp_server stream_udp dce_smb ips modbus rpc_decode latency wizard appid file_id ftp_data smtp back_orifice port_scan dce_http_server dce_tcp telnet ssl sip classifications http2_inspect http_inspect stream_user stream_ip dnp3 ftp_client stream references arp_spoof dns dce_udp imap stream_file Finished /root/snort-3.0.0/etc/snort/snort.lua. Loading builtin: Finished builtin. -------------------------------------------------- rule counts total rules loaded: 471 builtin rules: 471 option chains: 471 chain headers: 1 -------------------------------------------------- port rule counts tcp udp icmp ip any 471 0 0 0 total 471 0 0 0 Snort BPF option: tcp port 8 -------------------------------------------------- pcap DAQ configured to read-file. Commencing packet processing ++ [0] test.pcap -- [0] test.pcap -------------------------------------------------- Packet Statistics -------------------------------------------------- daq pcaps: 1 received: 4 analyzed: 4 allow: 4 rx_bytes: 216 -------------------------------------------------- codec total: 4 (100.000%) eth: 4 (100.000%) ipv4: 4 (100.000%) tcp: 4 (100.000%) -------------------------------------------------- Module Statistics -------------------------------------------------- detection analyzed: 4 -------------------------------------------------- appid packets: 4 processed_packets: 2 ignored_packets: 2 total_sessions: 2 -------------------------------------------------- binder packets: 2 inspects: 2 -------------------------------------------------- port_scan packets: 4 -------------------------------------------------- stream_tcp sessions: 2 max: 2 created: 2 released: 2 instantiated: 2 setups: 2 syn_ack_trackers: 2 syn_acks: 2 -------------------------------------------------- latency total_packets: 4 total_usecs: 123 max_usecs: 67 -------------------------------------------------- stream tcp_flows: 2 -------------------------------------------------- Summary Statistics -------------------------------------------------- timing runtime: 00:00:00 seconds: 0.215936 packets: 4 pkts/sec: 4 o")~ Snort exiting I didn't find any information about dpx inspector in the output, do you think I need to enable when the configuration of snort? I followed the github readme to install snort3. https://github.com/snort3/snort3 <https://github.com/snort3/snort3>The pcap file I used is: root@ubuntu1:/home/ubuntu# tcpdump -vr test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), seq 1, win 256, length 0 01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), seq 1, ack 2, win 256, length 0 01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 (correct), ack 2, win 256, length 0 01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), seq 1, win 256, length 0 01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), seq 1, ack 2, win 256, length 0 01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e (correct), ack 2, win 256, length 0 Thanks, Jianyu Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists snort org> Sent: 17 October 2018 23:36 To: snort-users () lists snort org Subject: Re: [Snort-users] DPX starter kit output: No alert generated Hi - if you want to give Snort 3 a try instead, here is an example: $ src/snort --plugin-path install/lib -c install/etc/snort/snort.lua --lua "dpx = { port = 53, max = 128 }; ips.enable_builtin_rules = true" --bpf "udp port 53" -r test.pcap -A csv -q 10/17-18:40:25.535685, 1, UDP, raw, 157, C2S, 10.1.2.3:48620, 10.9.8.7:53, 256:1:1, allow On 10/17/18 5:45 PM, Jianyu Li via Snort-users wrote: From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of wkitty42--- via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Sent: 17 October 2018 21:22 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: Re: [Snort-users] DPX starter kit output: No alert generated On 10/17/18 4:07 PM, Jianyu Li via Snort-users wrote:
I followed the link below to build DPX. https://www.snort.org/documents/dpx-readme
But there is no alert generated in the output of ./test.sh I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.
i don't know anything about dpx but what are the four short rules and what traffic was sent to be analyzed? the output looks to have passed the traffic... it may be that you need to add "-k none" to your snort command line to ensure that checksums are ignored... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Hi wkitty42, Thank you very much for your reply! I am new to snort. I tried to add the "-k none" in snort command line but it didn't work, there is still no alert in the output. The content of test.sh is: root@ubuntu3:~/dpx-1.7#<mailto:root@ubuntu3:~/dpx-1.7#> cat test.sh #!/bin/bash if [ ! -e setup.sh ] ; then echo "ERROR: you must echo SNORT=/path/to/snort/dir > setup.sh first" exit -1 fi . ./setup.sh export SNORT_PP_DEBUG=0x80000000 $SNORT/src/snort -c test/snort.conf -A console:test -r test/test.pcap So I think the test/snort.conf is used as the configuration file, the content of test/snort.conf is: root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:~/dpx-1.7/test#> cat snort.conf # default configuration dynamicpreprocessor directory lib/snort_dynamicpreprocessor preprocessor dpx: port 8 config binding: 10.1.conf net 10.1.0.0/16 include rules.conf But there are only two snort rules inside rules.conf, I am not sure why there are 4 snort rules showed in the result: root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:~/dpx-1.7/test#> cat rules.conf #config autogenerate_preprocessor_decoder_rules alert ( msg:"tcp src port match"; gid:256; sid:1; ) alert ( msg:"tcp dst port match"; gid:256; sid:2; ) The test/test.pcap was sent to be analyzed: root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:~/dpx-1.7/test#> tcpdump -vr test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), seq 1, win 256, length 0 01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), seq 1, ack 2, win 256, length 0 01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 (correct), ack 2, win 256, length 0 01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), seq 1, win 256, length 0 01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), seq 1, ack 2, win 256, length 0 01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e (correct), ack 2, win 256, length 0 In my understanding, the DPX is a Dynamic Preprocessor Example, which can be downloaded from the snort website. I was trying to test the dynamic preprocessor example, the output should generate the alerts since the dpx preprocessor will listen on port 8(according to the 3rd line of snort.conf file), and the tcpdump showed that some packets' ports are 8. Thanks, Jianyu Li ________________________________ From: Jianyu Li Sent: 17 October 2018 21:07:21 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: DPX starter kit output: No alert generated Hi I followed the link below to build DPX. https://www.snort.org/documents/dpx-readme But there is no alert generated in the output of ./test.sh I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox. The following is the output of ./test.sh root@ubuntu3:~/dpx-1.7#<mailto:root@ubuntu3:~/dpx-1.7#> ./test.sh Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "test/snort.conf" Tagged Packet Limit: 256 Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor... Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libdpx.so... done Finished Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor Log directory = /var/log/snort +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 4 Snort rules read 4 detection rules 0 decoder rules 0 preprocessor rules 2 Option Chains linked into 2 Chain Headers +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 4 0 0 0 | nc 4 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- | none ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- +-----------------------[event-filter-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! [ Port Based Pattern Matching Memory ] pcap DAQ configured to read-file. Acquiring network traffic from "test/test.pcap". Reload thread starting... Reload thread started, thread 0x7f2fb2e68700 (4175) --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.12 GRE (Build 325) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.8.1 Using PCRE version: 8.39 2016-06-14 Using ZLIB version: 1.2.11 Preprocessor Object: dpx Version 1.6 <Build 1> Commencing packet processing (pid=4174) =============================================================================== Run time for packet processing was 0.302 seconds Snort processed 6 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 6 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 4296704 Bytes in mapped regions (hblkhd): 31576064 Total allocated space (uordblks): 3490960 Total free space (fordblks): 805744 Topmost releasable block (keepcost): 659328 =============================================================================== Packet I/O Totals: Received: 6 Analyzed: 6 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 6 (100.000%) VLAN: 0 ( 0.000%) IP4: 6 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 6 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 6 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 6 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) =============================================================================== Snort exiting It would be greatful if you can help me to find out the problem. Thanks, Jianyu Li _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated wkitty42--- via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated wkitty42--- via Snort-users (Oct 19)