Snort mailing list archives
Re: snort alert -stop working with snort.conf
From: David Yip <dy () davidyip com>
Date: Tue, 30 Jul 2002 01:39:10 +0800
Extract from Snort FAQ: Q: How do I test snort alerts and logging?A: Try a rule that will fire off all the time like: alert tcp any any -> any any (msg:"TCP traffic";) Also take a look at sneeze at http://snort.sourceforge.net/sneeze-1.0.tar Sneeze is a false positive generator that reads snort signatures and generates packets that will trigger the rules.
I've tried this one but it send the tests so fast that snort will consider it as a port scan. May be you should disable the port scan preprocessor to really test the rules.
At 00:32 30/7/2002, twig les wrote:
Any security scanner like nessus or whisker (which nessus uses). --- Cearns Angela <acearns () yahoo com> wrote: > No, nothing is alerting. I don't know how to test a > lot of the rules. But I tried nmap, ping -l, and I'm > also testing the Stacheldraht attack, no alert. What > else can I try? > > but -l without -c snort.conf works. > > I've static ip for all my computers. > > Thanks, > Ang > > > --- John Sage <jsage () finchhaven com> wrote: > > Angela: > > > > On Sat, Jul 27, 2002 at 08:18:20PM -0700, Cearns > > Angela wrote: > > > Hi I've 2 simple questions: > > > > > > 1. My snort alert was working fine for a while > and > > > stopped suddernly. It no longer logs port scan > > file to > > > my portscan.log in /var/log/snort...nor does it > > log > > > icmp large packets alert to my alert file in > > > /var/log/snort. > > > I'm using Red Hat Linux 7.3 2.4.18. and snort > > 1.8.6 > > > > So, *nothing* is alerting at all, or just not > > portscans and icmp large > > packets? > > > > What sort of connectivity do you have? > > > > hmm.. > > > > [toot@sparky /]# host 128.198.172.82 > > 82.172.198.128.in-addr.arpa. domain name pointer > > multimedia.cs.uccs.edu. > > > > Do you have a new IP address assigned by DHCP > every > > so often? > > > > > > > I checked the snort.conf file and the homenet > was > > > configure correct (same as what I use for the -h > > > option on command line). > > > > > > When I run snort: > > > snort -dev -l /var/log/snort -h 192.168.0.2/16 > -c > > > snort.conf > > > > > > It didn't raise any error and it reads in all > the > > > rules. > > > > > > When I run snort without the config file: > > > snort -dev -l /var/log/snort > > > - it accurately created the dest & source ip > > directory > > > log the packets into those directories > > > > > > Any idea where I should look into the problem? > > > > > > 2. After getting the alert working, I'd like to > > test > > > every single one of the rules in snort but I > don't > > > know the various type of intrusion very well. Is > > there > > > any test case available that can help me get > > start? > > > (e.g. run a nmap -sS....and the portscan alert > > will be > > > raise; run a ping ... and a xx alert will be > > rasie...) > > > > Many of the snort rules look for symptoms of > > specific exploits. > > > > You can't test for these without running a given > > exploit against your > > system. > > > > nmap will scan ports in various ways, but not test > > all snort rules, by > > any means. > > > > I'm not aware of any method to actually test each > > and every rule... > > > > > > HTH.. > > > > > > - John > > -- > > Why, yes, I talk to birds. I speak fluent finch. > > > > PGP key > > http://www.finchhaven.com/pages/gpg_pubkey.html > > Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 > 8E > > 0C D0 BE C8 38 CC B5 > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - Feel better, live better > http://health.yahoo.com > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- David Yip ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort alert -stop working with snort.conf Cearns Angela (Jul 27)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf twig les (Jul 29)
- Re: snort alert -stop working with snort.conf David Yip (Jul 29)
- snort-flood detection preprocessor Cearns Angela (Aug 02)
- Re: snort alert -stop working with snort.conf Cearns Angela (Jul 28)
- Re: snort alert -stop working with snort.conf John Sage (Jul 28)