Re: testing from same machine?

[Martin Roesch <roesch () sourcefire com>]

use the loopback, it works fine...

    -Marty

Phil wrote:
> Can you use the attack.pl test script from the same
> machine that snort is running on? If I'm correct,
> since it directs the traffic to an IP, it will head to
> the right ethernet adapter (elxl0 in my case), even
> though it won't _leave_ and therefore get picked up by
> snort. No?
>
> I added my external IP address to the script and ran
> it... let it go for a while... let it run MANY tests,
> then I killed it after nothign showed up on console or
> in the logs (neither in /var/log/snortlogs or syslog
> and my config sets it to log to both).
>
> RELEVANT INFO:
> Platform: Solaris 2.6 x86
> Snort Version: 1.7
>
> My configuration is:
>
> var HOME_NET $elxl0_ADDRESS
> var EXTERNAL_NET !$HOME_NET
> var SMTP MY.SMTP.SERVER.HERE
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> #var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]
>
> ...
>
> include /etc/snort/local.rules
> include /etc/snort/exploit.rules
> include /etc/snort/scan.rules
> include /etc/snort/finger.rules
> include /etc/snort/ftp.rules
> include /etc/snort/telnet.rules
> include /etc/snort/smtp.rules
> include /etc/snort/rpc.rules
> include /etc/snort/rservices.rules
> include /etc/snort/backdoor.rules
> include /etc/snort/dos.rules
> include /etc/snort/ddos.rules
> include /etc/snort/dns.rules
> include /etc/snort/netbios.rules
> include /etc/snort/sql.rules
> include /etc/snort/web-cgi.rules
> include /etc/snort/web-coldfusion.rules
> include /etc/snort/web-frontpage.rules
> include /etc/snort/web-misc.rules
> include /etc/snort/web-iis.rules
> include /etc/snort/icmp.rules
> include /etc/snort/misc.rules
> #include policy.rules
> #include info.rules
> #include virus.rules
>
> The stuff in the middle is pretty much default.
>
> My command for running snort is:
> /usr/local/bin/snort -A fast -s -i elxl0 -l
> /var/log/snortlogs -c /etc/snort/snort.conf -D
>
> Here is some output from the attack.pl script:
>
> Simulating attack over udp/111  - "IDS025 - RPC -
> portmap-request-selection_svc"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS019 - RPC -
> portmap-request-amountd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS016 - RPC -
> portmap-request-bootparam"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS017 - RPC -
> portmap-request-cmsd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS013 - RPC -
> portmap-request-mountd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS021 - RPC -
> portmap-request-nisd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS022 - RPC -
> portmap-request-pcnfsd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS023 - RPC -
> portmap-request-rexd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS010 - RPC -
> portmap-request-rstatd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS018 - RPC -
> portmap-request-admind"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS020 - RPC -
> portmap-request-sadmind"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS015 - RPC -
> portmap-request-status"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS024 - RPC -
> portmap-request-ttdbserv"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS014 - RPC -
> portmap-request-yppasswd"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS012 - RPC -
> portmap-request-ypserv"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/111  - "IDS125 - RPC -
> portmap-request-ypupdated"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/32770:  - "IDS009 -
> RPC-rstatd-query"
>
> ...
>
> Simulating attack over udp/50879  - "IDS181 -
> OVERFLOW-NOOP-X86"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/50225  -
> "OVERFLOW-NOOP-SGI"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over tcp/2530  - "OVERFLOW-NOOP-SGI"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over udp/37725  -
> "OVERFLOW-NOOP-Solaris"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over tcp/41555  -
> "OVERFLOW-NOOP-Solaris"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over udp/3076  -
> "OVERFLOW-NOOP-Sparc"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over tcp/20370  -
> "OVERFLOW-NOOP-Sparc"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/53  -
> "OVERFLOW-DNS-x86linux-rotsb"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/23352  -
> "OVERFLOW-NOOP-Sparc"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/13222  - "OVERFLOW-NOOP-HP"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/53707  -
> "OVERFLOW-NOOP-X86"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/53  -
> "OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/53  -
> "OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/53  -
> "OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/57009  - "IDS215 - OVERFLOW
> - Client - netscape47-retrieved"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over tcp/80  - "IDS214 - OVERFLOW -
> Client - netscape47-unsucessful"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over udp/59337  -
> "OVERFLOW-NOOP-Sparc"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over udp/50531  -
> "OVERFLOW-NOOP-AIX"
> Host: MY.IP.ADDY.HERE - OK
> Simulating attack over tcp/53  - "OVERFLOW-named"
> Host: MY.IP.ADDY.HERE - skipped
> Simulating attack over udp/635  -
> "OVERFLOW-x86-linux-mountd2"
>
> Thanks,
> Phil
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users