Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-1.8.7 detection problems

From: "Wojciech Sobola" <wsobola () astercity net>
Date: Mon, 22 Jul 2002 22:56:04 +0200
OS Version?
Do you see the same behavior from tcpdump?
-- 
Chris Green <cmg () sourcefire com>
Eschew obfuscation.


Linux version 2.4.18 (root () myhost pl) (gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)) #1 sro cze 19 17:32:11 
CEST 2002

lsmod:
Module                  Size  Used by    Not tainted
ipt_mac                  640   0  (autoclean)
tulip                      36832   3 
tlan                       24448   1 
ipt_MIRROR               992   7  (autoclean)
ipt_LOG                 3392   9  (autoclean)
ipt_psd                    42816   2  (autoclean)
ipt_REJECT              2752   3  (autoclean)
ipt_state                576   8  (autoclean)
iptable_nat            19636   1  (autoclean)
ip_conntrack           20908   2  (autoclean) [ipt_state iptable_nat]
ipt_TOS                  960   4  (autoclean)
ipt_MARK                 704   6  (autoclean)
iptable_mangle          2080   1  (autoclean)
iptable_filter          1696   1  (autoclean)
ip_tables              13248  13  [ipt_mac ipt_MIRROR ipt_LOG ipt_psd ipt_REJECT ipt_state iptable_nat ipt_TOS ipt_MARK 
iptable_mangle iptable_filter]
ext3                   61312   1  (autoclean)
jbd                    44068   1  (autoclean) [ext3]
md                     43968   0 
rtc                     5656   0  (autoclean)

iptables-1.2.6a with some patches applied from distrib.
tcpdump is ok. Other capturing software too.
snort.conf (what I did):

var HOME_NET [10.1.0.0/16,192.168.100.0/24,192.168.101.0/24]
output database: log, mysql, user=me password=myPazzw0rd dbname=snort host=10.1.1.1 encoding=ascii

with following rulez:
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/info.rules
include $RULE_PATH/local.rules

Remaining is default.

snort paramz:
root     11034  0.1  2.4 12368 3152 ?        S    Jul20   6:34 /usr/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort 
-D -p

That's all. On the same machine previous snort (1.8.n) had problems with udp only like this one with tcp/udp.
Both work fine with icmp.

Regards,
Wojtek Sobola






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: