Snort mailing list archives
Re: testing from same machine?
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 07 May 2001 00:15:54 -0400
use the loopback, it works fine... -Marty Phil wrote:
Can you use the attack.pl test script from the same machine that snort is running on? If I'm correct, since it directs the traffic to an IP, it will head to the right ethernet adapter (elxl0 in my case), even though it won't _leave_ and therefore get picked up by snort. No? I added my external IP address to the script and ran it... let it go for a while... let it run MANY tests, then I killed it after nothign showed up on console or in the logs (neither in /var/log/snortlogs or syslog and my config sets it to log to both). RELEVANT INFO: Platform: Solaris 2.6 x86 Snort Version: 1.7 My configuration is: var HOME_NET $elxl0_ADDRESS var EXTERNAL_NET !$HOME_NET var SMTP MY.SMTP.SERVER.HERE var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET #var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32] ... include /etc/snort/local.rules include /etc/snort/exploit.rules include /etc/snort/scan.rules include /etc/snort/finger.rules include /etc/snort/ftp.rules include /etc/snort/telnet.rules include /etc/snort/smtp.rules include /etc/snort/rpc.rules include /etc/snort/rservices.rules include /etc/snort/backdoor.rules include /etc/snort/dos.rules include /etc/snort/ddos.rules include /etc/snort/dns.rules include /etc/snort/netbios.rules include /etc/snort/sql.rules include /etc/snort/web-cgi.rules include /etc/snort/web-coldfusion.rules include /etc/snort/web-frontpage.rules include /etc/snort/web-misc.rules include /etc/snort/web-iis.rules include /etc/snort/icmp.rules include /etc/snort/misc.rules #include policy.rules #include info.rules #include virus.rules The stuff in the middle is pretty much default. My command for running snort is: /usr/local/bin/snort -A fast -s -i elxl0 -l /var/log/snortlogs -c /etc/snort/snort.conf -D Here is some output from the attack.pl script: Simulating attack over udp/111 - "IDS025 - RPC - portmap-request-selection_svc" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS019 - RPC - portmap-request-amountd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS016 - RPC - portmap-request-bootparam" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS017 - RPC - portmap-request-cmsd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS013 - RPC - portmap-request-mountd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS021 - RPC - portmap-request-nisd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS022 - RPC - portmap-request-pcnfsd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS023 - RPC - portmap-request-rexd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS010 - RPC - portmap-request-rstatd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS018 - RPC - portmap-request-admind" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS020 - RPC - portmap-request-sadmind" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS015 - RPC - portmap-request-status" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS024 - RPC - portmap-request-ttdbserv" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS014 - RPC - portmap-request-yppasswd" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS012 - RPC - portmap-request-ypserv" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/111 - "IDS125 - RPC - portmap-request-ypupdated" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/32770: - "IDS009 - RPC-rstatd-query" ... Simulating attack over udp/50879 - "IDS181 - OVERFLOW-NOOP-X86" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/50225 - "OVERFLOW-NOOP-SGI" Host: MY.IP.ADDY.HERE - OK Simulating attack over tcp/2530 - "OVERFLOW-NOOP-SGI" Host: MY.IP.ADDY.HERE - skipped Simulating attack over udp/37725 - "OVERFLOW-NOOP-Solaris" Host: MY.IP.ADDY.HERE - OK Simulating attack over tcp/41555 - "OVERFLOW-NOOP-Solaris" Host: MY.IP.ADDY.HERE - skipped Simulating attack over udp/3076 - "OVERFLOW-NOOP-Sparc" Host: MY.IP.ADDY.HERE - OK Simulating attack over tcp/20370 - "OVERFLOW-NOOP-Sparc" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/53 - "OVERFLOW-DNS-x86linux-rotsb" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/23352 - "OVERFLOW-NOOP-Sparc" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/13222 - "OVERFLOW-NOOP-HP" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/53707 - "OVERFLOW-NOOP-X86" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/53 - "OVERFLOW-Named-ADM-NXT - 8.2->8.2.1" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/53 - "OVERFLOW-Named-ADM-NXT - 8.2->8.2.1" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/53 - "OVERFLOW-Named-ADM-NXT - 8.2->8.2.1" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/57009 - "IDS215 - OVERFLOW - Client - netscape47-retrieved" Host: MY.IP.ADDY.HERE - skipped Simulating attack over tcp/80 - "IDS214 - OVERFLOW - Client - netscape47-unsucessful" Host: MY.IP.ADDY.HERE - skipped Simulating attack over udp/59337 - "OVERFLOW-NOOP-Sparc" Host: MY.IP.ADDY.HERE - OK Simulating attack over udp/50531 - "OVERFLOW-NOOP-AIX" Host: MY.IP.ADDY.HERE - OK Simulating attack over tcp/53 - "OVERFLOW-named" Host: MY.IP.ADDY.HERE - skipped Simulating attack over udp/635 - "OVERFLOW-x86-linux-mountd2" Thanks, Phil __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: testing from same machine? Martin Roesch (May 06)