Snort mailing list archives

Re: Snort doesn't react on rules - help a new snort user

From: Simon Blixt <blixten_496 () hotmail com>
Date: Mon, 23 Apr 2012 06:16:27 +0000


Hi,

Thank you so much for clearing those things out for me, I knew it was something I've missed. 
So, I've added another Interface and running Snort with -Q. Unfortunately it says "ERROR: pcap DAQ does noy support 
inline."
So I guess I've messed something up during the compilation? I will google it and check on the forum for an answer.
Another question, do all of my interfaces need to be in promiscuous mode, or just the bridged one? And I don't need to 
enable ipv4-forwarding anymore?

Yours,
Blixten  

Date: Sun, 22 Apr 2012 12:51:27 +0200
Subject: Re: [Snort-users] Snort doesn't react on rules - help a new snort user
From: lysemose () gmail com
To: blixten_496 () hotmail com
CC: snort-users () lists sourceforge net

Hi
You need to  decide whether you want to run Snort as IDS or IPS. IDS is pure information gathering and with IPS you can 
make the Snort engine block traffic/packets. You shouldn't provide the monitoring interface with an IP. 

IDS

You need to set your monitor interface to promiscuous mode and the port it is connected to on the switch needs to be 
set to span/mirroring.

If you're going this way I can really recommend NIDS distro called SecurityOnion, http://securityonion.blogspot.com.
IPS

You need 3 interfaces, one for management and two for the bridge which Snort will create for you. Your interfaces needs 
to be set to promiscuous mode too. 
To the command you need to add -Q (run in inline mode) and -i eth1:eth2 (adds the interface pair on which Snort creates 
the bridge) 
I hope this will get you going, 

Lysemose
On Apr 21, 2012 12:47 PM, "Simon Blixt" <blixten_496 () hotmail com> wrote:






Hi,

I am new to Snort and just managed to set up v. 2.9.2 on Ubuntu 10.04. I have now created an own simple rule, just to 
try out my setup. It looks like this:
alert tcp any any -> any any (content:"www.uid11.local""; msg:"First rule test"; sid: 132321;)



And I run snort like this:
/usr/local/lib/snort/bin/snort -u snort -g snort -c /usr/local/lib/snort/etc/snort.conf -i eth1

But it doesn't work! Nothing happens. After I've hit CTRL+C I see that it has controlled xxx packets, but nothing more, 
no drops, alerts etc.



My server running Snort got two interfaces, eth0 and eth1. eth0 got IP 10.10.10.3 and eth1 got 192.168.1.1.

I got a webserver on the network 10.10.10.0-net with IP 10.10.10.1. And I have a client on 192.168.1.0-net with IP 
192.168.1.10.


To make it possible for my client to reach the webserver I've activated IPv4-forwarding in /etc/sysctl.conf on the 
server running Snort.
So the client got 192.168.1.1 as it's default gateway, and the webserver 10.10.10.3.



So my topology looks like this:
[webserver]--------[IPS/Snort]-------------------[client]
10.10.10.1      10.10.10.3   192.168.1.1           192.168.1.10

What else do you need to know? I need your help to figure out what my noobish head don't understand.



Thank you in advance!
                                          

------------------------------------------------------------------------------

For Developers, A Lot Can Happen In A Second.

Boundary is the first to Know...and Tell You.

Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!

http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 21)
- Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 22)
  - Re: Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 22)
    - Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 22)
    - Re: Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 23)
    - Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 23)
    - Re: Snort doesn't react on rules - help a new snort user Simon Blixt (Apr 23)
    - Re: Snort doesn't react on rules - help a new snort user Heine Lysemose (Apr 23)
    - Message not available
    - FW: Snort doesn't react on rules - help a new snort user [Solved] Simon Blixt (Apr 23)
    - Re: FW: Snort doesn't react on rules - help a new snort user [Solved] Heine Lysemose (Apr 23)