Re: Installing Snort

[Martin Holste <mcholste () gmail com>]

End snort and look at the stats to be sure it inspected packets.
Also, beware of the discarded packets due to bad checksum.  I run with
"config checksum_mode: none" to avoid problems.

On Fri, Jul 8, 2011 at 3:28 PM, Damien Hull <dhull () section9 us> wrote:
> I have snort installed on a web server. It only needs to see incoming
> attacks so that should be working. I double checked snort.conf rules and
> found the port scan rule was commented out. Even after uncommenting that
> rule it doesn't work.
> Nothing shows up in /var/log/snort/snort or the snort report database. I'm
> thinking something was left out of the instructions on snort.org. I double
> checked my configuration several times.
>
> On Jul 8, 2011, at 12:11 PM, Michael Lubinski <michael.lubinski () gmail com>
> wrote:
>
> Is your snort sensor able to see the traffic? (span port, connected via a
> hub?)
> Are the rules uncommented in snort.conf?
>
> On Fri, Jul 8, 2011 at 3:05 PM, Damien Hull <dhull () section9 us> wrote:
> > Here's what I have in /usr/local/snort/rules...
> > total 10356
> > -rw-r--r-- 1 1210 1210   18236 Apr  4 17:59 VRT-License.txt
> > -rw-r--r-- 1 1210 1210    5463 Jun  7 16:35 attack-responses.rules
> > -rw-r--r-- 1 1210 1210  312012 Jun  7 16:35 backdoor.rules
> > -rw-r--r-- 1 1210 1210    1862 Jun  7 16:35 bad-traffic.rules
> > -rw-r--r-- 1 1210 1210  132557 Jun  7 16:35 blacklist.rules
> > -rw-r--r-- 1 1210 1210   49738 Jun  7 16:35 botnet-cnc.rules
> > -rw-r--r-- 1 1210 1210   20259 Jun  7 16:35 chat.rules
> > -rw-r--r-- 1 1210 1210    8642 Jun  7 16:35 content-replace.rules
> > -rw-r--r-- 1 1210 1210    8237 Jun  7 16:35 ddos.rules
> > -rw-r--r-- 1 1210 1210 5048660 Jun  7 16:35 deleted.rules
> > -rw-r--r-- 1 1210 1210   11722 Jun  7 16:35 dns.rules
> > -rw-r--r-- 1 1210 1210   25338 Jun  7 16:35 dos.rules
> > -rw-r--r-- 1 1210 1210    1327 May 16  2005 experimental.rules
> > -rw-r--r-- 1 1210 1210  147124 Jun  7 16:35 exploit.rules
> > -rw-r--r-- 1 1210 1210    4579 Jun  7 16:35 finger.rules
> > -rw-r--r-- 1 1210 1210   33901 Jun  7 16:35 ftp.rules
> > -rw-r--r-- 1 1210 1210   17265 Jun  7 16:35 icmp-info.rules
> > -rw-r--r-- 1 1210 1210    3756 Jun  7 16:35 icmp.rules
> > -rw-r--r-- 1 1210 1210   31824 Jun  7 16:35 imap.rules
> > -rw-r--r-- 1 1210 1210    1041 Jun  7 16:35 info.rules
> > -rw-r--r-- 1 1210 1210     199 Jun  7 16:35 local.rules
> > -rw-r--r-- 1 1210 1210   24059 Jun  7 16:35 misc.rules
> > -rw-r--r-- 1 1210 1210    7166 Jun  7 16:35 multimedia.rules
> > -rw-r--r-- 1 1210 1210   13845 Jun  7 16:35 mysql.rules
> > -rw-r--r-- 1 1210 1210  217140 Jun  7 16:35 netbios.rules
> > -rw-r--r-- 1 1210 1210    5804 Jun  7 16:35 nntp.rules
> > -rw-r--r-- 1 1210 1210    1246 Jun  7 16:35 open-test.conf
> > -rw-r--r-- 1 1210 1210  208849 Jun  7 16:35 oracle.rules
> > -rw-r--r-- 1 1210 1210    1490 Jun  7 16:35 other-ids.rules
> > -rw-r--r-- 1 1210 1210    6432 Jun  7 16:35 p2p.rules
> > -rw-r--r-- 1 1210 1210   56702 Jun  7 16:35 phishing-spam.rules
> > -rw-r--r-- 1 1210 1210   47381 Jun  7 16:35 policy.rules
> > -rw-r--r-- 1 1210 1210    1046 Jun  7 16:35 pop2.rules
> > -rw-r--r-- 1 1210 1210   15701 Jun  7 16:35 pop3.rules
> > -rw-r--r-- 1 1210 1210   91675 Jun  7 16:35 rpc.rules
> > -rw-r--r-- 1 1210 1210    3984 Jun  7 16:35 rservices.rules
> > -rw-r--r-- 1 1210 1210   42175 Jun  7 16:35 scada.rules
> > -rw-r--r-- 1 1210 1210    5307 Jun  7 16:35 scan.rules
> > -rw-r--r-- 1 1210 1210   13707 Jun  7 16:35 shellcode.rules
> > -rw-r--r-- 1 1210 1210   91705 Jun  7 16:35 smtp.rules
> > -rw-r--r-- 1 1210 1210    7250 Jun  7 16:35 snmp.rules
> > -rw-r--r-- 1 1210 1210  335177 Jun  7 16:35 specific-threats.rules
> > -rw-r--r-- 1 1210 1210  546411 Jun  7 16:35 spyware-put.rules
> > -rw-r--r-- 1 1210 1210   46695 Jun  7 16:35 sql.rules
> > -rw-r--r-- 1 1210 1210    7904 Jun  7 16:35 telnet.rules
> > -rw-r--r-- 1 1210 1210    6410 Jun  7 16:35 tftp.rules
> > -rw-r--r-- 1 1210 1210    1574 Jun  7 16:35 virus.rules
> > -rw-r--r-- 1 1210 1210   26552 Jun  7 16:35 voip.rules
> > -rw-r--r-- 1 1210 1210 1943280 Jun  7 16:35 web-activex.rules
> > -rw-r--r-- 1 1210 1210    1470 Jun  7 16:35 web-attacks.rules
> > -rw-r--r-- 1 1210 1210  119084 Jun  7 16:35 web-cgi.rules
> > -rw-r--r-- 1 1210 1210  264702 Jun  7 16:35 web-client.rules
> > -rw-r--r-- 1 1210 1210   14403 Jun  7 16:35 web-coldfusion.rules
> > -rw-r--r-- 1 1210 1210   12895 Jun  7 16:35 web-frontpage.rules
> > -rw-r--r-- 1 1210 1210   53052 Jun  7 16:35 web-iis.rules
> > -rw-r--r-- 1 1210 1210  221135 Jun  7 16:35 web-misc.rules
> > -rw-r--r-- 1 1210 1210   51100 Jun  7 16:35 web-php.rules
> > -rw-r--r-- 1 1210 1210    1891 Jun  7 16:35 x11.rules
> > On Jul 8, 2011, at 11:18 AM, Michael Lubinski <michael.lubinski () gmail com>
> > wrote:
> >
> > What is in the rules directory?
> >
> > On Fri, Jul 8, 2011 at 2:09 PM, Damien Hull <dhull () section9 us> wrote:
> > > I compiled snort for Ubuntu 10.04 following the instructions on the
> > > snort website. I installed the snort rules. Snort and barnyard2 start.
> > > There are snort files in /var/log/snort. However, there's nothing in
> > > the log files. The database doesn't contain any info.
> > >
> > > I did a port scan of the system. I'm assuming snort should pick that
> > > up. Again, nothing in the log files or in the database. I'm using
> > > snort report just like the documentation says.
> > >
> > > Can someone point me in some kind of direction? I must be missing
> > > something.
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > All of the data generated in your IT infrastructure is seriously
> > > valuable.
> > > Why? It contains a definitive record of application performance, security
> > > threats, fraudulent activity, and more. Splunk takes this data and makes
> > > sense of it. IT sense. And common sense.
> > > http://p.sf.net/sfu/splunk-d2d-c2
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please see http://www.snort.org/docs for documentation
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation