Snort mailing list archives

Re: Log questions

From: Phil <foo_bar_00 () yahoo com>
Date: Wed, 29 Aug 2001 00:06:31 -0700 (PDT)

--- Martin Roesch <roesch () sourcefire com> wrote:

Phil wrote:
This is a pcap problem, not a snort problem.  The
BPF filtering
subsystem is provided by libpcap and the issues that
you're seeing are
completely at that layer.  I'd recommend contacting
the tcpdump.org guys
for that one.


aight...


[snip lots o' attacks]

But not one of them was picked up by snort. I'm
running snort with the following options:


Did you have rules running that pick up the attacks
you run?  What tool
were you running?


Aight. the details:
I was running the attack.pl script from the
snort.sourceforge.net website.
The following are examples of 5 attacks that are
A. in the .rules files (these three are all in the
web-iis.rules file) which I have included in my
snort.conf file. These five attacks were initiated
against my machine via the attack scripts:

CVE-1999-0449
WEB-IIS codebrowser SDK access
WEB-IIS JET VBA access (/scripts/samples/ctguestb.idc)
WEB-IIS del attempt
WEB-IIS JET VBA access (/scripts/samples/details.idc)

Nothing was detected by snort. In fact snort has not
picked up a thing since I upgraded to 1.8.1

If you're having
problems I'd suggest not
running in daemon mode until you can be sure you
aren't getting any
command line error messages.


I've tried this. I get no errors, and it picks up tons
of packets.

I've included my config from my last post for
reference:

/usr/local/bin/snort -A fast -i ppp0 -l
/var/log/snortlogs -c /etc/snort/snort.c
onf -D

and I have all the default includes in snort.conf.

have HOME_NET set to $ppp0_ADDRESS and

EXTERNAL_NET is

set to !$HOME_NET

I'm running snort Version 1.8.1-RELEASE (Build 74)
Solaris 8 x86 MU5 (7/01)


Thanks,
Phil

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
  - Re: Log questions Martin Roesch (Aug 18)
    - Re: Log questions Phil (Aug 29)
    - Re: Log questions Martin Roesch (Aug 29)
    - Re: Log questions Phil (Aug 29)