Snort mailing list archives
Re: Log questions
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 29 Aug 2001 10:35:26 -0400
Phil wrote:
Aight. the details: I was running the attack.pl script from the snort.sourceforge.net website. The following are examples of 5 attacks that are A. in the .rules files (these three are all in the web-iis.rules file) which I have included in my snort.conf file. These five attacks were initiated against my machine via the attack scripts: CVE-1999-0449 WEB-IIS codebrowser SDK access WEB-IIS JET VBA access (/scripts/samples/ctguestb.idc) WEB-IIS del attempt WEB-IIS JET VBA access (/scripts/samples/details.idc) Nothing was detected by snort. In fact snort has not picked up a thing since I upgraded to 1.8.1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ||||||||||||||||||||||||||||||||||||||||||||| Ok, this should be telling you something. If Snort 1.8.1 were unable to detect anything for everyone, it probably would have come up on the lists now. Since it hasn't, I'd postulate that you've got a local configuration problem.
I've tried this. I get no errors, and it picks up tons of packets. I've included my config from my last post for reference:/usr/local/bin/snort -A fast -i ppp0 -l /var/log/snortlogs -c /etc/snort/snort.c onf -D and I have all the default includes in snort.conf.Ihave HOME_NET set to $ppp0_ADDRESS andEXTERNAL_NET isset to !$HOME_NET I'm running snort Version 1.8.1-RELEASE (Build 74) Solaris 8 x86 MU5 (7/01)
And here's the possible problem. First off, I'd try setting EXTERNAL_NET to 'any' and see if you get detects. If that doesn't work, I'd check that the $ppp0_ADDRESS is picking up the proper IP/Netmask from the interface by hard coding it to your local IP configuration and seeing if you detect attacks. If it works when you hard code it, we have an issue on x86 Solaris with detecting the ppp interface IP address, which wouldn't suprise me in the slightest. -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
- Re: Log questions Martin Roesch (Aug 18)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 29)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 18)