Snort mailing list archives
urgent problem with snort and guardian
From: Björn Brombach <b.brombach () drachenfels de>
Date: Thu, 28 Aug 2003 13:07:50 +0200
Hi all, installed is snort, mysql, guardian. I start guardian in debug mode so to see if alarms are properly notified. Guardian should call a user-defined script upon every alert. The problem is that only some alerts make guardian call the script and some dont. What i am trying to do is use the rules for the Cisco IPv4 Bug and upon detection they should trigger the guardian to execute the script. These are the rules: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco SWIPE Protocol "; classtype:attempted-dos; ip_proto:53;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco IP Mobility Protocol "; classtype:attempted-dos; ip_proto:55;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco Sun ND Protocol "; classtype:attempted-dos; ip_proto:77;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS Cisco PIM Protocol "; classtype:attempted-dos; ip_proto:103;) Snort detects the alerts and guardian shows them on screen in the debugging mode but doesnt execute the script. I even tried adding priority:1 to the rules but doesnt make any difference. Doing an nmap scan or attacks with snot trigger the script execution always. So any idea what to change that my rules trigger as well? I tried to figure that out for two weeks now and need it to be solved urgently. Thanks for any help -bb ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- urgent problem with snort and guardian Björn Brombach (Aug 28)