Snort mailing list archives

Re: Log questions

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 29 Aug 2001 10:35:26 -0400

Phil wrote:


Aight. the details:
I was running the attack.pl script from the
snort.sourceforge.net website.
The following are examples of 5 attacks that are
A. in the .rules files (these three are all in the
web-iis.rules file) which I have included in my
snort.conf file. These five attacks were initiated
against my machine via the attack scripts:

CVE-1999-0449
WEB-IIS codebrowser SDK access
WEB-IIS JET VBA access (/scripts/samples/ctguestb.idc)
WEB-IIS del attempt
WEB-IIS JET VBA access (/scripts/samples/details.idc)

Nothing was detected by snort. In fact snort has not
picked up a thing since I upgraded to 1.8.1

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|||||||||||||||||||||||||||||||||||||||||||||

Ok, this should be telling you something.  If Snort 1.8.1 were unable to
detect anything for everyone, it probably would have come up on the
lists now.  Since it hasn't, I'd postulate that you've got a local
configuration problem.

I've tried this. I get no errors, and it picks up tons
of packets.

I've included my config from my last post for
reference:

/usr/local/bin/snort -A fast -i ppp0 -l
/var/log/snortlogs -c /etc/snort/snort.c
onf -D

and I have all the default includes in snort.conf.

have HOME_NET set to $ppp0_ADDRESS and

EXTERNAL_NET is

set to !$HOME_NET

I'm running snort Version 1.8.1-RELEASE (Build 74)
Solaris 8 x86 MU5 (7/01)


And here's the possible problem.  First off, I'd try setting
EXTERNAL_NET to 'any' and see if you get detects.  If that doesn't work,
I'd check that the $ppp0_ADDRESS is picking up the proper IP/Netmask
from the interface by hard coding it to your local IP configuration and
seeing if you detect attacks.  If it works when you hard code it, we
have an issue on x86 Solaris with detecting the ppp interface IP
address, which wouldn't suprise me in the slightest.

     -Marty

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
  - Re: Log questions Martin Roesch (Aug 18)
    - Re: Log questions Phil (Aug 29)
    - Re: Log questions Martin Roesch (Aug 29)
    - Re: Log questions Phil (Aug 29)