Snort mailing list archives
Problem with Snort-inline
From: aravind babu <aravindforsnort () yahoo co in>
Date: Mon, 9 Feb 2004 13:21:53 +0000 (GMT)
Hi all, I am using Snort-inline version 2.0.2(Build 92) .My snort_inline.conf is below:I started snort-inline with the options below. ./snort_inline -Qvc ./snort_inline.conf -l ./tmp # # Honeynet snort_inline configuration file # Version 0.4 # Last modified 29 March, 2003 # # Standard Snort configuration file modified for inline # use. Most preprocessors currently do not work in inline # mode, as such they are not included. # ### Network variables var HONEYNET 172.30.180.0/24 var EXTERNAL_NET any ### Ports variables var SHELLCODE_PORTS !80 var HTTP_PORTS 80 var ORACLE_PORTS 1521 ### Let's make sure we don't let bad packets out simply cause ### they have bad checksums. If this is not here, packets with ### bad checksums could get out. config checksum_mode: none ### Preprocessors # usage guidelines: if the plugin normalizes the packet so that the # detection engine can better interpret the data, the plugin can be # used with the snort_inline safely. If the plugin itself makes # the alert decisions, then we have to modify it to drop packets. # Many false positives # preprocessor fnord # Done by IPTables # preprocessor frag2 # preprocessor portscan # Not yet modified for snort_inline # preprocessor stream4: detect_scans # preprocessor stream4_reassemble # preprocessor asn1_decode # Enabled preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor telnet_decode preprocessor bo: -nobrute preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 ### Logging alerts of outbound attacks output alert_full: snort_inline-full output alert_fast: snort_inline-fast ### If you want to log the contents of the dropped packets, remove comment #output log_tcpdump: tcpdump.log ### Rules found in local directory var RULE_PATH /tmp ### Include classification & reference include $RULE_PATH/classification.config include $RULE_PATH/reference.config ### The Drop Rules # Enabled include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/pop2.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/virus.rules include $RULE_PATH/nntp.rules ### Disabled # include $RULE_PATH/other-ids.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules # include $RULE_PATH/experimental.rules # include $RULE_PATH/local.rules # include $RULE_PATH/bad-traffic.rules # include $RULE_PATH/attack-responses.rules # include $RULE_PATH/scan.rules # include $RULE_PATH/misc.rules My setup is like this : NESSUS SNORT-INLINE TARGET MACHINE <10.1.10.1>------<10.1.10.2 172.30.180.212>------<172.30.180.99> I am running Nessus on 10.1.10.1 with all checks enabled.After starting nessus snort-inline is not detecting any packet after getting the following packet. 02/09-17:05:00.360000 10.1.10.1:33771 -> 172.30.180.99:69 PROTO017 TTL:63 TOS:0x0 ID:4896 IpLen:20 DgmLen:50 DF Len: 22 I tried for 4 times but the same situation happens. Why is not detecting any thing after getting the above packet?Also packets are not logging in /tmp directory? Thanks in advance, Aravind. Yahoo! India Education Special: Study in the UK now.
Current thread:
- Problem with Snort-inline aravind babu (Feb 09)
- Re: Problem with Snort-inline ravivsn (Feb 09)