Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort doesn't detect any kind of TCP traffic

From: Carlo Manuali <carlo () unipg it>
Date: Thu, 18 Jan 2007 16:37:02 +0100

Hi to all.
I'd like to receive your help with this error that make me crazy.
I've installed snort on a dual homed host, with ip addresses on the form:
eth0 - 192.168.199.5 on 192.168.199.0/24 net
eth1 - 192.168.198.143 on 192.168.198.0/24 net
I use eth0 for admin purposes and with eth1 I monitor all 192.168.198.0/24 traffic 
(I'm using a monitoring port of a 3com switch).
All seems to be ok, with tcpdump or snort (in sniffer mode) I see that traffic on the console without any problem. The database logging seems to works fine and I don't receive any relevant error during snort startup. 
Also I've defined:
var eth1_ADDRESS [192.168.198.143/32]
var HOME_NET $eth1_ADDRESS
var EXTERNAL_NET any
--> The problem is that I only receive that kinds of alerts (plus sometimes some UDP message) !! 
(I see them by BASE software):
<http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=sig_a>< Signature <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=sig_d>> <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=class_a>< Classification <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=class_d>> <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=occur_a>< Total # <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=occur_d>> Sensor # <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=saddr_a>< Source Address <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=saddr_d>> <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=daddr_a>< Dest. Address <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=daddr_d>> <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=first_a>< First <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=first_d>> <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=last_a>< Last <http://linux.centrale.unipg.it/snort/base_stat_alerts.php?caller=&sort_order=last_d>> [<http://linux.centrale.unipg.it/snort/signatures/485.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:485>snort] ICMP Destination Unreachable Communication Administratively Prohibited misc-activity <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=7&sig_type=1&submit=Query+DB&num_result_rows=-1>15(0%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=7&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=7>2 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=7>6 2006-12-15 11:33:52 2007-01-15 09:01:24 [<http://linux.centrale.unipg.it/snort/signatures/486.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:486>snort] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited misc-activity <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1>8084(19%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>2 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>33 2006-12-14 13:24:03 2007-01-11 10:13:37 [<http://linux.centrale.unipg.it/snort/signatures/408.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:408>snort] ICMP Echo Reply misc-activity <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=9&sig_type=1&submit=Query+DB&num_result_rows=-1>2(0%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=9&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=9>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=9>1 2007-01-11 10:00:10 2007-01-11 10:00:11 [<http://linux.centrale.unipg.it/snort/signatures/384.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:384>snort] ICMP PING misc-activity <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1&submit=Query+DB&num_result_rows=-1>16(0%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>4 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>1 2007-01-08 10:36:40 2007-01-08 11:14:02 [<http://www.snort.org/pub-bin/sigs.cgi?sid=122:26>snort] (portscan) ICMP Filtered Sweep unclassified <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=16&sig_type=1&submit=Query+DB&num_result_rows=-1>1(0%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=16&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=16>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=16>1 2006-12-15 13:33:02 2006-12-15 13:33:02 [<http://linux.centrale.unipg.it/snort/signatures/486.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:486>snort] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited misc-activity <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1>3148(8%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=2&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>2 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=2>16 2006-12-11 14:48:23 2006-12-14 16:56:14 [<http://linux.centrale.unipg.it/snort/signatures/384.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:384>snort] ICMP PING misc-activity <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1&submit=Query+DB&num_result_rows=-1>48(0%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=5&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>4 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=5>5 2006-12-11 22:17:22 2006-12-14 12:02:17 [<http://www.whitehats.com/info/ids311>arachNIDS] [<http://linux.centrale.unipg.it/snort/signatures/466.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:466>snort] ICMP L3retriever Ping attempted-recon <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=4&sig_type=1&submit=Query+DB&num_result_rows=-1>41(0%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=4&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=4>2 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=4>2 2006-12-11 22:17:22 2006-12-14 12:02:17 [<http://linux.centrale.unipg.it/snort/signatures/399.txt>local] [<http://www.snort.org/pub-bin/sigs.cgi?sid=1:399>snort] ICMP Destination Unreachable Host Unreachable misc-activity <http://linux.centrale.unipg.it/snort/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=1&sig_type=1&submit=Query+DB&num_result_rows=-1>30046(72%) <http://linux.centrale.unipg.it/snort/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=1&sig_type=1>1 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=1>2 <http://linux.centrale.unipg.it/snort/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=1>4 2006-12-11 14:39:16 2006-12-14 10:52:48 

I have many rules defined and I writed my own rules also,
but I cant' see any kind of alerts about TCP traffic, and not any rules defined matches. 
As example (my own rule for ssh):

----------------------------------------------------------------------------------------
# cat /etc/snort/rules/unipg.rules
alert tcp any any -> any 22 (flags:S; msg:"ssh connection";)
alert tcp any any -> any 22 \
        (\
                msg: "BETA Vulnerable SSH-2 Connection" ;\
                flags: PA ;\
                content: "SSH-2" ;\
         )
----------------------------------------------------------------------------------------

Furthermore, not any built-in rules matches!

Where I'm wrong?
Any ideas?
thank you very much in advance.
Regards,
--Carlo


_________________________________________________________________________

  Dott. Carlo Manuali - carlo () unipg it
  Responsabile Sicurezza Informatica
Ripartizione Servizi Informatici e Statistici - University of Perugia 
  Piazza dell'Universita' 1, 06123 - Perugia (PG), Italy
  Web:  http://www.unipg.it/carlo
  Tel:  +390755852370
  Fax:  +390755855180
_________________________________________________________________________

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: