Snort mailing list archives

Re: Configuring Snort

From: Damien Hull <dhull () section9 us>
Date: Fri, 24 Aug 2012 19:50:03 -0800

I just did a metasploit hail mary attack and snort didn't detect
anything. I'm assuming I should see something about web attacks.

What am I missing?


On Fri, Aug 24, 2012 at 4:47 PM, Damien Hull <dhull () section9 us> wrote:

Marcos,

Thanks for the info. I had the var PREPROC_RULE_PATH set. I went
through the config file and found that the following lines were
commented out.

# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

After enabling them snort picked up my port scan.

Other rules are commented out. I need to figure out which ones to
enable. I'll save that for later. At least I know some of the rules
are working.

On Fri, Aug 24, 2012 at 11:35 AM, Marcos Rodriguez
<marcos.e.rodriguez () gmail com> wrote:



On Fri, Aug 24, 2012 at 3:04 PM, Damien Hull <dhull () section9 us> wrote:


I've snort installed but the rules don't seem to be working. Here's
what I have.

snort: 2.9.3.1
snort rules: 2.9.2.3
OS: Ubuntu 10.04 LTS
Other: Barnyard2

I know snort and barnyard2 are working. I added the following to
local.rules and it works.
          alert icmp any any -> any any (msg: "ICMP Packet found";
sid:1001;)

I commented out the dynamic detection stuff because that wasn't
loading. I was told my version of snort rules won't work with snort
2.9.3.1
          # path to dynamic rules libraries
          # dynamicdetection directory
/usr/local/snort/lib/snort_dynamicrules

I have the scanning section configured. I thought that would allow me
to scan the system and snort would trigger an alert. No such luck.
         # Portscan detection.  For more information, see
README.sfportscan
         preprocessor sfportscan: proto  { all } scan_type { all }
memcap { 10000000 } s$

Why does the simple rule in local.rules work but a port scan doesn't
get detected?


Hiya Damien,

Sounds like maybe you're not loading your preprocessor.rules file.  The
portscan rules are in that file, under preproc_rules.  Does this line exist
in your current snort.conf:

var PREPROC_RULE_PATH ../preproc_rules


marcos


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Configuring Snort Damien Hull (Aug 24)
- Re: Configuring Snort Marcos Rodriguez (Aug 24)
  - Re: Configuring Snort Damien Hull (Aug 24)
    - Re: Configuring Snort Damien Hull (Aug 24)
    - Re: Configuring Snort Tony Robinson (Aug 24)
    - Re: Configuring Snort Joel Esler (Aug 25)