Snort mailing list archives

Re: problem with Snort-rules not matching [SOLVED]

From: Simon Blixt <blixten_496 () hotmail com>
Date: Wed, 25 Apr 2012 06:59:57 +0000


Solved

It all works now! I moved my old directories in /usr/local/lib/snort to 
the new compiled place, /home/user/ (don't ask me why it got located 
there), 
and started Snort with only "snort" since the new compiled got compiled in the correct "environment-variable".


From: blixten_496 () hotmail com
To: snort-sigs () lists sourceforge net
Subject: 
Date: Sat, 21 Apr 2012 12:52:42 +0000





Hi,

I am new to Snort and just managed to set up v. 2.9.2 on Ubuntu 10.04. I have now created an own simple rule, just to 
try out my setup. It looks like this:
alert tcp any any -> any any (content:"www.uid11.local""; msg:"First rule test"; sid: 132321;)

And I run snort like this:
/usr/local/lib/snort/bin/snort -u snort -g snort -c /usr/local/lib/snort/etc/snort.conf -i eth1

But it doesn't work! Nothing happens. After I've hit CTRL+C I see that it has controlled xxx packets, but nothing more, 
no drops, alerts etc.

My server running Snort got two interfaces, eth0 and eth1. eth0 got IP 10.10.10.3 and eth1 got 192.168.1.1.

I got a webserver on the network 10.10.10.0-net with IP 10.10.10.1. And I have a client on 192.168.1.0-net with IP 
192.168.1.10.
To make it possible for my client to reach the webserver I've activated IPv4-forwarding in /etc/sysctl.conf on the 
server running Snort.
So the client got 192.168.1.1 as it's default gateway, and the webserver 10.10.10.3.

So my topology looks like this:
[webserver]--------[IPS/Snort]-------------------[client]
10.10.10.1      10.10.10.3   192.168.1.1           192.168.1.10

What else do you need to know? I need your help to figure out what my noobish head don't understand.

Thank you in advance!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

(no subject) karan singhania (Apr 10)
- Re: Diameter Joshua Kinard (Apr 10)
  - Re: Diameter asiaimbiss (Apr 11)
    - Re: Diameter Joshua Kinard (Apr 11)
- <Possible follow-ups>
- (no subject) Indrajeet Gupta (Apr 11)
  - Re: (no subject) CleBeer (Apr 11)
- (no subject) Simon Blixt (Apr 21)
  - Re: problem with Snort-rules not matching [SOLVED] Simon Blixt (Apr 25)
- (no subject) afessa akahc (May 14)
- (no subject) Kungu Panda (Jun 21)
  - Re: (no subject) Naresh Narang (Jun 21)
  - Re: (no subject) Peter Bates (Jun 21)
- (no subject) Deepika p (Jun 22)
  - Re: (no subject) Charles Pigeon (Jun 23)